+```
+
+#### Step 4: Test KUBECONFIG Locally (Optional)
+
+```bash
+# Set kubeconfig path
+export KUBECONFIG=/path/to/kubeconfig_soil38
+
+# Test connectivity
+kubectl get nodes
+
+# You should see your cluster nodes listed
+```
+
+### Official Documentation
+- **Kubernetes Config**: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
+- **kubectl Installation**: https://kubernetes.io/docs/tasks/tools/
+
+### Where to Use It
+
+Add as **Environment Secret** in GitHub (not repository secret):
+
+**Secret Name**: `KUBECONFIG`
+
+**Secret Value**: Complete contents of the kubeconfig file
+
+```yaml
+# Example format (your actual values will be different):
+apiVersion: v1
+clusters:
+- cluster:
+ certificate-authority-data: LS0tLS1CRUdJTi...
+ server: https://10.0.1.10:6443
+ name: soil38
+contexts:
+- context:
+ cluster: soil38
+ user: soil38
+ name: soil38
+current-context: soil38
+kind: Config
+preferences: {}
+users:
+- name: soil38
+ user:
+ client-certificate-data: LS0tLS1CRUdJTi...
+ client-key-data: LS0tLS1CRUdJTi...
+```
+
+### Common Pitfalls
+- ❌ Trying to get KUBECONFIG before infrastructure is deployed
+- ❌ Adding KUBECONFIG as repository secret (should be environment secret)
+- ❌ Not including complete file content (missing BEGIN/END lines)
+- ❌ Using KUBECONFIG from wrong cluster
+- ❌ WireGuard VPN not active when testing kubectl access
+
+---
+
+## 6. reCAPTCHA Keys
+
+### What is it?
+reCAPTCHA is Google's service that protects websites from bots and spam by verifying users are human.
+
+### Why do you need it?
+- To protect MOSIP web portals (PreReg, Admin, Resident) from automated attacks
+- To prevent spam registrations and malicious bots
+- Required for production deployments
+
+### How to Generate reCAPTCHA Keys
+
+You need **separate reCAPTCHA keys for each MOSIP portal**:
+- PreReg portal: `prereg.your-domain.net`
+- Admin portal: `admin.your-domain.net`
+- Resident portal: `resident.your-domain.net`
+
+#### Step-by-Step for Each Domain:
+
+1. **Go to Google reCAPTCHA Admin Console**
+ - Visit: https://www.google.com/recaptcha/admin/create
+ - Sign in with your Google account
+
+2. **Create New Site**
+ - **Label**: `MOSIP PreReg` (or Admin/Resident)
+ - **reCAPTCHA type**: Select **"reCAPTCHA v2"**
+ - **Sub-type**: Select **"I'm not a robot" Checkbox**
+
+3. **Add Domain**
+ - Enter your domain: `prereg.your-domain.net`
+ - Example: `prereg.soil.mosip.net`
+ - Click "+" to add
+
+4. **Accept Terms**
+ - Check "Accept the reCAPTCHA Terms of Service"
+ - Click "Submit"
+
+5. **Save Keys**
+ You will receive two keys:
+ ```
+ Site Key: 6LfkAMwrAAAAAATB1WhkIhzuAVMtOs9VWabODoZ_
+ Secret Key: 6LfkAMwrAAAAAHQAT93nTGcLKa-h3XYhGoNSG-NL
+ ```
+
+6. **Repeat for Other Domains**
+ - Create separate reCAPTCHA for Admin portal
+ - Create separate reCAPTCHA for Resident portal
+
+### Official Documentation
+- **Google reCAPTCHA Documentation**: https://developers.google.com/recaptcha/intro
+- **reCAPTCHA v2 Guide**: https://developers.google.com/recaptcha/docs/display
+
+### Where to Use It
+
+Update in `Helmsman/dsf/external-dsf.yaml` file:
+
+```yaml
+# Around line 315 in external-dsf.yaml
+hooks:
+ postInstall: "$WORKDIR/hooks/captcha-setup.sh PREREG_SITE_KEY PREREG_SECRET_KEY ADMIN_SITE_KEY ADMIN_SECRET_KEY RESIDENT_SITE_KEY RESIDENT_SECRET_KEY"
+```
+
+**Replace placeholders with actual keys:**
+
+```yaml
+hooks:
+ postInstall: "$WORKDIR/hooks/captcha-setup.sh 6LfkAMwrAAAAAATB1WhkIhzuAVMtOs9VWabODoZ_ 6LfkAMwrAAAAAHQAT93nTGcLKa-h3XYhGoNSG-NL 6LdNAcwrAAAAAETGWvz-3I12vZ5V8vPJLu2ct9CO 6LdNAcwrAAAAAE4iWGJ-g6Dc2HreeJdIwAl5h1iL 6LdRAcwrAAAAAFUEHHKK5D_bSrwAPqdqAJqo4mCk 6LdRAcwrAAAAAOeVl6yHGBCBA8ye9GsUOy4pi9s9"
+```
+
+**Key Order:**
+1. PreReg Site Key
+2. PreReg Secret Key
+3. Admin Site Key
+4. Admin Secret Key
+5. Resident Site Key
+6. Resident Secret Key
+
+### Common Pitfalls
+- ❌ Using the same reCAPTCHA for all three portals (need separate ones!)
+- ❌ Wrong domain name in reCAPTCHA setup
+- ❌ Mixing up site keys and secret keys
+- ❌ Wrong order of keys in captcha-setup.sh arguments
+- ❌ Not updating keys after changing domain names
+
+---
+
+## 7. How to Add Secrets to GitHub
+
+### Understanding Secret Types
+
+#### Repository Secrets
+- **Scope**: Available to all branches and environments
+- **Use case**: Cloud credentials, SSH keys, GPG passphrase
+- **Where to add**: Settings → Secrets and variables → Actions → Repository secrets
+
+#### Environment Secrets
+- **Scope**: Specific to a deployment environment/branch
+- **Use case**: KUBECONFIG, WireGuard configs (different per environment)
+- **Where to add**: Settings → Secrets and variables → Actions → Environments
+
+### Step-by-Step: Adding Repository Secrets
+
+1. **Navigate to Repository Settings**
+ ```
+ Your Repository → Settings → Secrets and variables → Actions
+ ```
+
+2. **Click "Repository secrets" Tab**
+
+3. **Click "New repository secret"**
+
+4. **Add Secret**
+ - **Name**: Enter secret name (e.g., `AWS_ACCESS_KEY_ID`)
+ - **Value**: Paste secret value
+ - Click "Add secret"
+
+5. **Repeat for All Repository Secrets**
+ - `GPG_PASSPHRASE`
+ - `AWS_ACCESS_KEY_ID`
+ - `AWS_SECRET_ACCESS_KEY`
+ - `mosip-aws` (or your SSH key name)
+
+### Step-by-Step: Adding Environment Secrets
+
+1. **Create Environment (if not exists)**
+ ```
+ Settings > Environments > New environment
+ ```
+ - **Name**: Your branch name (e.g., `release-0.1.0`, `main`, `develop`)
+ - Click "Configure environment"
+
+2. **Add Environment Secrets**
+ - Scroll to "Environment secrets" section
+ - Click "Add secret"
+ - **Name**: Enter secret name (e.g., `KUBECONFIG`)
+ - **Value**: Paste secret value
+ - Click "Add secret"
+
+3. **Repeat for All Environment Secrets**
+ - `KUBECONFIG`
+ - `TF_WG_CONFIG`
+ - `CLUSTER_WIREGUARD_WG0`
+ - `CLUSTER_WIREGUARD_WG1` (optional)
+
+### Official Documentation
+- **GitHub Secrets Documentation**: https://docs.github.com/en/actions/security-guides/encrypted-secrets
+
+### Visual Guide
+
+```
+Repository Structure:
+├── Repository Secrets (global, all branches)
+│ ├── GPG_PASSPHRASE
+│ ├── AWS_ACCESS_KEY_ID
+│ ├── AWS_SECRET_ACCESS_KEY
+│ └── mosip-aws (SSH private key)
+│
+└── Environments
+ ├── release-0.1.0 (environment)
+ │ ├── KUBECONFIG
+ │ ├── TF_WG_CONFIG
+ │ ├── CLUSTER_WIREGUARD_WG0
+ │ └── CLUSTER_WIREGUARD_WG1
+ │
+ ├── main (environment)
+ │ └── (same secrets as above)
+ │
+ └── develop (environment)
+ └── (same secrets as above)
+```
+
+### Common Pitfalls
+- ❌ Adding KUBECONFIG as repository secret (should be environment secret)
+- ❌ Environment name doesn't match branch name
+- ❌ Copy-paste errors (extra spaces, newlines)
+- ❌ Not updating secrets after rotation
+- ❌ Typos in secret names (case-sensitive!)
+
+---
+
+## Quick Reference Checklist
+
+Use this checklist to ensure you've generated and configured all required secrets:
+
+### Repository Secrets (Do Once)
+- [ ] SSH Key Pair generated
+- [ ] SSH Public Key added to AWS EC2 Key Pairs
+- [ ] SSH Private Key added to GitHub Repository Secret
+- [ ] GPG Passphrase generated and added
+- [ ] AWS Access Key ID obtained and added
+- [ ] AWS Secret Access Key obtained and added
+
+### Infrastructure Deployment
+- [ ] Terraform base-infra deployed successfully
+- [ ] WireGuard VPN configured on jump server
+- [ ] WireGuard client installed on your computer
+- [ ] TF_WG_CONFIG environment secret added
+
+### Main Infrastructure
+- [ ] Terraform infra deployed successfully
+- [ ] KUBECONFIG file downloaded from Terraform outputs
+- [ ] KUBECONFIG added as environment secret
+- [ ] WireGuard cluster access configs added
+
+### MOSIP Services
+- [ ] reCAPTCHA keys generated for PreReg portal
+- [ ] reCAPTCHA keys generated for Admin portal
+- [ ] reCAPTCHA keys generated for Resident portal
+- [ ] reCAPTCHA keys added to external-dsf.yaml
+
+---
+
+## Troubleshooting
+
+### Secret Not Working
+
+**Check these common issues:**
+
+1. **Typo in secret name**
+ - Secret names are case-sensitive
+ - Verify exact name matches workflow configuration
+
+2. **Wrong secret type**
+ - Verify if it should be repository or environment secret
+ - Check if workflow is using correct environment
+
+3. **Invalid format**
+ - Ensure no extra spaces or newlines
+ - Include complete content (BEGIN/END lines for keys)
+
+4. **Secret not accessible**
+ - Verify workflow has permission to access secrets
+ - Check environment protection rules
+
+### Need Help?
+
+- **GitHub Issues**: Report problems in repository issues
+- **MOSIP Community**: Join community channels for support
+- **Documentation**: Refer to component-specific guides
+
+---
+
+**Navigation**: [Back to Main README](../README.md) | [View Glossary](GLOSSARY.md)
diff --git a/docs/TERRAFORM_WORKFLOW_GUIDE.md b/docs/TERRAFORM_WORKFLOW_GUIDE.md
new file mode 100644
index 00000000..5cef42dc
--- /dev/null
+++ b/docs/TERRAFORM_WORKFLOW_GUIDE.md
@@ -0,0 +1,101 @@
+# Things to Know While Working with Terraform Workflows
+
+## GitHub Actions Workflow Parameters Reference
+
+> **Visual Guide:** See [Workflow Guide - Workflow Parameters Explained](WORKFLOW_GUIDE.md#workflow-parameters-explained) for detailed explanations with examples!
+
+## Common Parameters for All Terraform Workflows
+
+- **`CLOUD_PROVIDER`**: `aws` | `azure` | `gcp` (cloud platform selection)
+ - **Choose**: `aws` (only fully functional option)
+ - Azure/GCP are placeholder implementations
+- **`TERRAFORM_COMPONENT`**: `base-infra` | `infra` | `observ-infra` (infrastructure component)
+ - **base-infra**: VPC, networking, jump server (deploy FIRST)
+ - **observ-infra**: Rancher management cluster (optional)
+ - **infra**: MOSIP Kubernetes cluster (main deployment)
+- **`SSH_PRIVATE_KEY`**: GitHub secret name containing SSH private key for instance access
+ - Must match the `ssh_key_name` in your terraform.tfvars
+ - [How to create SSH keys](SECRET_GENERATION_GUIDE.md#1-ssh-keys)
+- **`TERRAFORM_APPLY`**: Checkbox ☐ or ✅ (apply changes or plan-only mode)
+ - ☐ **Unchecked** = Dry run (preview only, **no infrastructure changes**)
+ - ✅ **Checked** = Apply (actually creates infrastructure, **real changes**)
+- **Visual Explanation:**
+
+```
+☐ Unchecked → Terraform Plan Only
+→ Shows: "Will create 25 resources"
+→ Does: Nothing (preview only)
+→ AWS: No changes made
+
+✅ Checked → Terraform Apply
+→ Shows: "Creating resources..."
+→ Does: Creates actual infrastructure
+→ AWS: Servers, networks, databases created
+→ Cost: Billing starts
+```
+
+- **Relationship with Rancher Import:**
+
+```
+If Terraform Apply = ✅ AND Rancher Import = True
+→ Infrastructure deployed AND cluster imported to Rancher UI
+
+If Terraform Apply = ✅ AND Rancher Import = False
+→ Infrastructure deployed but cluster runs standalone
+
+If Terraform Apply = ☐ (unchecked - dry run)
+→ Nothing happens, just shows plan
+→ Rancher Import setting is ignored
+```
+
+## Backend Configuration Options
+
+- **`local`**: GPG-encrypted local state storage (recommended for development and small teams)
+ - State files stored in repository with GPG encryption
+ - No external dependencies required
+ - Automatic encryption/decryption via GitHub Actions
+ - **Best for**: Development, testing, small teams
+ - **Requires**: GPG_PASSPHRASE secret
+- **`s3`**: Remote S3 backend storage (recommended for production and large teams)
+ - Centralized state storage in AWS S3
+ - DynamoDB state locking support
+ - Cross-team collaboration friendly
+ - **Best for**: Production, large teams, multiple environments
+ - **Requires**: S3 bucket and DynamoDB table setup
+
+## Understanding Terraform Modes
+
+Before running any Terraform workflow, understand these modes:
+
+| Mode | What It Does | When to Use | Visual |
+| ------------------------------------------------ | ---------------------------------------------- | ------------------------------------------ | ------------------ |
+| **Terraform Plan** (checkbox unchecked ☐) | Shows what WOULD happen without making changes | Testing configurations, previewing changes | ☐ Terraform apply |
+| **Apply** (checkbox checked ✅) | Actually creates/modifies infrastructure | Real deployments, making actual changes | ✅ Terraform apply |
+
+**Tip**: Always run terraform plan first to preview changes, then run with apply checked to actually deploy!
+
+## Best Practices
+
+1. **Always Plan First**: Use unchecked mode (☐) to preview changes before applying
+2. **Consistent Naming**: Ensure `ssh_key_name` matches across terraform.tfvars and GitHub secrets
+3. **Secret Management**: Keep SSH private keys secure and never commit to repository
+4. **Environment Isolation**: Use separate branches/environments for different deployments
+5. **State Management**: Choose appropriate backend (local vs S3) based on team size and requirements
+
+## Troubleshooting Common Issues
+
+### SSH Key Mismatch
+**Error**: "Key pair 'xxx' does not exist"
+**Solution**: Ensure the `ssh_key_name` value in terraform.tfvars matches the GitHub secret name exactly (case-sensitive)
+
+### State Lock Issues
+**Error**: "Error locking state: ConditionalCheckFailedException"
+**Solution**: Wait for previous operations to complete, or manually unlock state if previous run was interrupted
+
+### Permission Errors
+**Error**: "UnauthorizedOperation: You are not authorized to perform this operation"
+**Solution**: Verify AWS credentials have sufficient permissions for the resources being created
+
+### Backend Configuration Errors
+**Error**: "Backend configuration changed"
+**Solution**: Run terraform init to reinitialize backend configuration
\ No newline at end of file
diff --git a/docs/WORKFLOW_GUIDE.md b/docs/WORKFLOW_GUIDE.md
new file mode 100644
index 00000000..1bd31489
--- /dev/null
+++ b/docs/WORKFLOW_GUIDE.md
@@ -0,0 +1,763 @@
+# GitHub Actions Workflow Guide
+
+This guide provides detailed, step-by-step instructions for running Terraform and Helmsman workflows through GitHub Actions. Perfect for beginners who need visual guidance on navigating the GitHub interface.
+
+## Table of Contents
+
+1. [Understanding Workflow Basics](#understanding-workflow-basics)
+2. [Terraform Workflows](#terraform-workflows)
+3. [Helmsman Workflows](#helmsman-workflows)
+4. [Workflow Parameters Explained](#workflow-parameters-explained)
+5. [Common Issues and Solutions](#common-issues-and-solutions)
+
+---
+
+## Understanding Workflow Basics
+
+### What You'll See
+When you run workflows, you'll interact with GitHub's web interface. Here's what to expect:
+
+```
+Your Repository
+└── Actions Tab (at the top)
+ ├── All workflows (left sidebar)
+ ├── Workflow runs (center)
+ └── Run workflow button (right side)
+```
+
+### Key Concepts
+
+#### Terraform Apply vs Dry Run
+
+| Mode | What It Does | When to Use |
+|------|--------------|-------------|
+| **Apply** (checkbox ✅) | Actually creates/modifies infrastructure | Production deployments, real changes |
+| **Dry Run** (checkbox ☐) | Shows what WOULD happen without making changes | Testing configurations, previewing changes |
+
+**Example:**
+- ✅ **Checked** → Terraform will create actual AWS servers
+- ☐ **Unchecked** → Terraform only shows you the plan (no changes made)
+
+#### Rancher Import Option
+
+| Setting | What It Does | When to Use |
+|---------|--------------|-------------|
+| **True** | Automatically imports cluster into Rancher UI | If you want centralized cluster management |
+| **False** | Cluster runs independently | For standalone deployments |
+
+**Relationship with Terraform Apply:**
+```
+If Terraform Apply = ✅ AND Rancher Import = True
+ → Cluster is deployed AND imported into Rancher
+
+If Terraform Apply = ✅ AND Rancher Import = False
+ → Cluster is deployed but NOT imported
+
+If Terraform Apply = ☐ (unchecked)
+ → Dry run only, nothing happens (Rancher import setting is ignored)
+```
+
+---
+
+## Terraform Workflows
+
+### Workflow 1: Base Infrastructure
+
+**What it does**: Creates the foundation - VPC, networking, jump server, WireGuard VPN
+
+#### Step-by-Step Navigation
+
+1. **Open GitHub Actions**
+ ```
+ Click: Your Repository → Actions (top menu bar)
+ ```
+
+2. **Find the Workflow**
+ ```
+ Left Sidebar: Look for "Terraform Base Infrastructure"
+ Click on it
+ ```
+
+3. **Start the Workflow**
+ ```
+ Right Side: Click "Run workflow" button (dropdown)
+ ```
+
+4. **Configure Parameters**
+ You'll see a form with these fields:
+
+ | Parameter | What to Select | Example | Notes |
+ |-----------|---------------|---------|-------|
+ | **Use workflow from** | `Branch: release-0.1.0` | Your deployment branch | Dropdown at top |
+ | **Cloud Provider** | `aws` | `aws` | Azure/GCP not fully implemented |
+ | **Component** | `base-infra` | `base-infra` | Creates VPC & networking |
+ | **Backend** | `local` or `s3` | `local` for dev, `s3` for prod | Where Terraform stores state |
+ | **Terraform apply** | ✅ Check this box | ✅ | Leave unchecked for dry run |
+
+5. **Run the Workflow**
+ ```
+ Bottom of form: Click green "Run workflow" button
+ ```
+
+6. **Monitor Progress**
+ ```
+ Watch the workflow run in real-time
+ Yellow circle = Running
+ Green checkmark = Success
+ Red X = Failed
+ ```
+
+#### What You Should See
+
+**During Execution:**
+```
+✓ Setup environment
+✓ Configure WireGuard
+✓ Run Terraform init
+✓ Run Terraform plan
+→ Run Terraform apply (if checked)
+✓ Complete
+```
+
+**After Success:**
+- VPC created in AWS
+- Jump server running
+- WireGuard VPN configured
+- Security groups configured
+- Output shows server IP addresses
+
+---
+
+### Workflow 2: Main Infrastructure
+
+**What it does**: Creates MOSIP Kubernetes cluster, PostgreSQL (optional), application infrastructure
+
+#### Step-by-Step Navigation
+
+1. **Open GitHub Actions**
+ ```
+ Click: Your Repository → Actions
+ ```
+
+2. **Find the Workflow**
+ ```
+ Left Sidebar: Look for "Terraform Infrastructure"
+ Click on it
+ ```
+
+ **Note**: The workflow name might also appear as:
+ - "Terraform"
+ - "Deploy Infrastructure"
+ - Check for keywords: "Infrastructure" or "Main Infra"
+
+3. **Start the Workflow**
+ ```
+ Click: "Run workflow" button (right side)
+ ```
+
+4. **Configure Parameters**
+
+ | Parameter | What to Select | Example | Why? |
+ |-----------|---------------|---------|------|
+ | **Use workflow from** | `Branch: release-0.1.0` | Your branch | Dropdown at top |
+ | **Cloud Provider** | `aws` | `aws` | Where to deploy |
+ | **Component** | `infra` | `infra` | Main MOSIP infrastructure |
+ | **Backend** | `local` or `s3` | `local` | State storage location |
+ | **Terraform apply** | ✅ | ✅ | Check to deploy, uncheck for dry run |
+
+5. **Run the Workflow**
+ ```
+ Click: Green "Run workflow" button
+ ```
+
+6. **Monitor Progress** (This takes 15-30 minutes)
+ ```
+ → Creating Kubernetes cluster
+ → Installing RKE2
+ → Configuring networking
+ → Setting up PostgreSQL (if enabled)
+ → Importing to Rancher (if enabled)
+ ```
+
+#### What You Should See
+
+**Success Indicators:**
+- ✅ Kubernetes cluster created
+- ✅ Multiple nodes visible in AWS EC2
+- ✅ KUBECONFIG file generated
+- ✅ PostgreSQL running (if enabled)
+
+**Outputs to Save:**
+- KUBECONFIG file location
+- Cluster endpoint URL
+- Node IP addresses
+
+---
+
+### Workflow 3: Observability Infrastructure (Optional)
+
+**What it does**: Creates Rancher management cluster for monitoring multiple MOSIP clusters
+
+#### When to Use
+- Managing multiple MOSIP environments
+- Need centralized cluster management UI
+- Want advanced monitoring dashboards
+
+#### Step-by-Step Navigation
+
+1. **Open GitHub Actions**
+ ```
+ Click: Repository → Actions
+ ```
+
+2. **Find the Workflow**
+ ```
+ Left Sidebar: "Terraform Observability Infrastructure"
+ OR look for: "Observ Infra" / "Monitoring Infrastructure"
+ ```
+
+3. **Configure Parameters**
+
+ | Parameter | What to Select | Example |
+ |-----------|---------------|---------|
+ | **Branch** | `release-0.1.0` | Your deployment branch |
+ | **Cloud Provider** | `aws` | `aws` |
+ | **Component** | `observ-infra` | `observ-infra` |
+ | **Backend** | `local` or `s3` | `local` for dev |
+ | **Terraform apply** | ✅ | Check to deploy |
+
+4. **Run and Monitor**
+ - Deployment takes 10-20 minutes
+ - Creates separate Rancher management cluster
+
+---
+
+## Helmsman Workflows
+
+### Understanding Helmsman Modes
+
+**IMPORTANT**: For Helmsman, ALWAYS use `apply` mode. Dry-run mode will fail!
+
+**Why dry-run fails:**
+- Helmsman checks dependencies between namespaces
+- Dry-run doesn't create shared configmaps/secrets
+- Validation fails when resources don't exist yet
+
+**Always use:**
+```
+Mode: apply ✅
+```
+
+---
+
+### Workflow 1: Prerequisites & External Dependencies
+
+**What it does**: Deploys monitoring, Istio, databases, message queues, storage
+
+**Workflow Name in GitHub**: `Deploy External services of mosip using Helmsman`
+
+**Note**: The documentation might refer to this as "Helmsman External Dependencies" but the actual workflow file is named differently. Look for either name!
+
+#### Step-by-Step Navigation
+
+1. **Open GitHub Actions**
+ ```
+ Click: Repository → Actions
+ ```
+
+2. **Find the Workflow**
+ ```
+ Left Sidebar: Look for EITHER:
+ - "Deploy External services of mosip using Helmsman" (actual name)
+ - "Helmsman External Dependencies" (documentation name)
+ - Keywords: "External" or "Dependencies"
+ ```
+
+3. **Start the Workflow**
+ ```
+ Click: "Run workflow" button
+ ```
+
+4. **Configure Parameters**
+
+ | Parameter | What to Select | Why? |
+ |-----------|---------------|------|
+ | **Branch** | `release-0.1.0` | Your deployment branch |
+ | **Mode** | `apply` | MUST be apply, not dry-run! |
+
+5. **What Happens Automatically**
+
+ This workflow deploys TWO DSF files in parallel:
+
+ **Part 1: Prerequisites** (`prereq-dsf.yaml`)
+ ```
+ → Monitoring stack (Prometheus, Grafana)
+ → Istio service mesh
+ → Logging stack (optional)
+ ```
+
+ **Part 2: External Dependencies** (`external-dsf.yaml`)
+ ```
+ → PostgreSQL (if container mode)
+ → MinIO (object storage)
+ → Kafka (messaging)
+ → ActiveMQ (messaging)
+ → Keycloak (identity management)
+ ```
+
+6. **Monitor Progress** (Takes 20-40 minutes)
+ ```
+ → Installing monitoring
+ → Deploying Istio
+ → Creating databases
+ → Setting up message queues
+ ```
+
+7. **Automatic Trigger**
+ ```
+ ✅ On success → Automatically triggers MOSIP Services deployment
+ ❌ On failure → You must manually trigger next workflow
+ ```
+
+#### What You Should See
+
+**Check Pod Status:**
+```bash
+kubectl get pods -n cattle-monitoring-system
+kubectl get pods -n istio-system
+kubectl get pods -n postgres
+kubectl get pods -n kafka
+```
+
+**All pods should show:**
+```
+STATUS: Running
+READY: X/X (e.g., 1/1, 2/2)
+```
+
+---
+
+### Workflow 2: MOSIP Core Services
+
+**What it does**: Deploys all MOSIP application services
+
+**Workflow Name**: `Deploy MOSIP services using Helmsman`
+
+#### Step-by-Step Navigation
+
+1. **Verify Prerequisites**
+ ```bash
+ # FIRST: Ensure all external services are running
+ kubectl get pods --all-namespaces | grep -v Running
+ # Should return nothing (or only Completed pods)
+ ```
+
+2. **Find the Workflow**
+ ```
+ GitHub Actions → Left Sidebar → Look for:
+ - "Deploy MOSIP services using Helmsman"
+ - "Deploy MOSIP services using Helmsman" (alternative)
+ - Keywords: "MOSIP" or "Services"
+ ```
+
+3. **Trigger Method**
+
+ **Option A: Automatic (Recommended)**
+ - Workflow triggers automatically after external dependencies succeed
+ - No action needed if previous workflow passed
+
+ **Option B: Manual**
+ - Click "Run workflow"
+ - Select branch: `release-0.1.0`
+ - Select mode: `apply`
+ - Click "Run workflow"
+
+4. **Monitor Progress** (Takes 30-60 minutes)
+ ```
+ → Config Server
+ → Artifactory Server
+ → Kernel services
+ → Pre-registration services
+ → Registration Processor
+ → ID Repository
+ → Authentication services
+ → Partner Management
+ → Resident Services
+ ```
+
+5. **Handle Onboarding Failures**
+
+ **Known Issue**: Partner onboarding may fail on first attempt
+
+ **What to do:**
+ ```
+ 1. Check logs for onboarding errors
+ 2. Follow manual onboarding procedure
+ 3. Verify all services are running before test rigs
+ ```
+
+#### What You Should See
+
+**Check MOSIP Pods:**
+```bash
+kubectl get pods -A
+```
+
+**Expected Output:**
+```
+NAME READY STATUS RESTARTS
+prereg-application-0 1/1 Running 0
+regproc-stage-group1-0 1/1 Running 0
+kernel-auth-0 1/1 Running 0
+idrepo-identity-0 1/1 Running 0
+...
+```
+
+**All pods should be Running before proceeding!**
+
+---
+
+### Workflow 3: Test Rigs (Optional)
+
+**What it does**: Deploys automated testing infrastructure
+
+**IMPORTANT**: Only run after ALL MOSIP services are running successfully!
+
+#### Step-by-Step Navigation
+
+1. **Verify All Services Running**
+ ```bash
+ # Check all namespaces
+ kubectl get pods -A | grep -v Running | grep -v Completed
+ # Should return nothing!
+
+ # Check external services
+ kubectl get pods -n postgres | grep -v Running
+ kubectl get pods -n keycloak | grep -v Running
+ # All should return nothing!
+ ```
+
+2. **Find the Workflow**
+ ```
+ GitHub Actions → "Helmsman Test Rigs" or "Deploy Test Rigs"
+ ```
+
+3. **Run the Workflow**
+ ```
+ Click: "Run workflow"
+ Branch: release-0.1.0
+ Mode: apply
+ DSF File: testrigs-dsf.yaml
+ ```
+
+4. **Monitor Progress** (Takes 15-30 minutes)
+ ```
+ → API Test Rig
+ → DSL Test Rig
+ → UI Test Rig
+ ```
+
+#### What You Should See
+
+**Check Test Rigs:**
+```bash
+kubectl get pods -n apitestrig
+kubectl get pods -n dsltestrig
+kubectl get pods -n uitestrig
+```
+
+---
+
+## Workflow Parameters Explained
+
+### Common to All Terraform Workflows
+
+#### Branch Selection
+```
+Use workflow from: Branch [dropdown]
+```
+**What it does**: Selects which branch's code to use
+
+**Choose**:
+- `release-0.1.0` - Stable release branch
+- `main` - Main development branch
+- `develop` - Latest development
+
+**Recommendation**: Use release branches for production
+
+---
+
+#### Cloud Provider
+```
+Cloud Provider: [aws | azure | gcp]
+```
+**What it does**: Selects cloud platform
+
+**Status**:
+- ✅ `aws` - Fully functional
+- `azure` - Placeholder only
+- `gcp` - Placeholder only
+
+**Choose**: `aws` (only fully implemented option)
+
+---
+
+#### Component
+```
+Component: [base-infra | infra | observ-infra]
+```
+**What it does**: Selects which infrastructure layer to deploy
+
+**Options**:
+| Component | Creates | Run Order |
+|-----------|---------|-----------|
+| `base-infra` | VPC, networking, jump server | **1st** (foundation) |
+| `observ-infra` | Rancher management cluster | **2nd** (optional) |
+| `infra` | MOSIP Kubernetes cluster | **3rd** (main deployment) |
+
+---
+
+#### Backend
+```
+Backend: [local | s3]
+```
+**What it does**: Determines where Terraform stores state files
+
+| Backend | Storage Location | Best For | Encryption |
+|---------|-----------------|----------|------------|
+| `local` | GitHub repository | Development, small teams | GPG encrypted |
+| `s3` | AWS S3 bucket | Production, large teams | S3 server-side encryption |
+
+**Recommendations**:
+- Development → `local`
+- Production → `s3`
+
+---
+
+#### Terraform Apply Checkbox
+```
+☐ Terraform apply
+```
+**What it does**: Controls whether changes are actually made
+
+| State | Effect | Use Case |
+|-------|--------|----------|
+| ☐ **Unchecked** | Dry run - shows plan only | Testing configurations |
+| ✅ **Checked** | Applies changes - creates resources | Actual deployment |
+
+**Visual Guide**:
+```
+☐ Unchecked → terraform plan → Shows what WOULD happen → No changes
+✅ Checked → terraform apply → Actually creates resources → Real changes
+```
+
+---
+
+### Helmsman-Specific Parameters
+
+#### Mode Selection
+```
+Mode: [apply | dry-run]
+```
+
+**IMPORTANT**: Always use `apply` for Helmsman!
+
+**Why?**
+```
+apply ✅ Works correctly
+dry-run ❌ Fails due to missing shared resources
+```
+
+**Choose**: `apply` (always)
+
+---
+
+#### DSF File Selection
+```
+DSF File: [prereq-dsf.yaml | external-dsf.yaml | mosip-dsf.yaml | testrigs-dsf.yaml]
+```
+
+**Deployment Order**:
+1. `prereq-dsf.yaml` - Monitoring, Istio
+2. `external-dsf.yaml` - Databases, queues
+3. `mosip-dsf.yaml` - MOSIP services
+4. `testrigs-dsf.yaml` - Testing infrastructure
+
+**Note**: Some workflows handle multiple DSFs automatically!
+
+---
+
+## Common Issues and Solutions
+
+### Issue 1: Workflow Not Found
+
+**Problem**: Can't find the workflow in GitHub Actions
+
+**Solution**:
+1. Check left sidebar - workflows are listed by name
+2. Try searching for keywords: "Terraform", "Helmsman", "Deploy"
+3. Verify you're on the "Actions" tab
+4. Check if workflows are in `.github/workflows/` directory
+
+**Workflow Name Variations**:
+| Documentation Says | Actual Workflow Name Might Be |
+|--------------------|------------------------------|
+| "Helmsman External Dependencies" | "Deploy External services of mosip using Helmsman" |
+| "Terraform Infrastructure" | "Terraform" or "Deploy Infrastructure" |
+
+---
+
+### Issue 2: Workflow Run Fails
+
+**Problem**: Red X appears, workflow failed
+
+**Solution**:
+1. **Click on the failed run**
+ ```
+ Actions → Click the failed run → Click failed job
+ ```
+
+2. **Read error messages**
+ ```
+ Scroll through logs
+ Look for red ERROR or FAILED messages
+ ```
+
+3. **Common Errors**:
+
+ | Error Message | Solution |
+ |--------------|----------|
+ | "Authentication failed" | Check AWS credentials in secrets |
+ | "InsufficientInstanceCapacity" | Set `specific_availability_zones = []` |
+ | "Permission denied" | Check IAM permissions |
+ | "Secret not found" | Add missing secret to GitHub |
+
+---
+
+### Issue 3: Terraform Apply Checkbox Confusion
+
+**Problem**: Not sure when to check or uncheck
+
+**Simple Rule**:
+```
+Want to see what would happen? → ☐ Uncheck (dry run)
+Want to actually deploy? → ✅ Check (apply)
+```
+
+**Example Scenarios**:
+```
+Testing new configuration → ☐ Uncheck first to verify
+First time deploying → ☐ Uncheck first, then ✅ check
+Updating existing deployment → ☐ Uncheck first to see changes
+```
+
+---
+
+### Issue 4: Environment Not Found
+
+**Problem**: Workflow can't find environment secrets
+
+**Solution**:
+1. **Verify environment name matches branch**
+ ```
+ Branch: release-0.1.0
+ Environment name: release-0.1.0 (must match exactly!)
+ ```
+
+2. **Create environment if missing**
+ ```
+ Settings → Environments → New environment
+ Name: release-0.1.0 (match your branch)
+ ```
+
+3. **Add secrets to environment**
+ ```
+ Configure environment → Add secrets
+ ```
+
+---
+
+### Issue 5: Helmsman Dry-Run Fails
+
+**Problem**: Helmsman workflow fails with validation errors
+
+**Solution**:
+```
+❌ Don't use: Mode = dry-run
+✅ Always use: Mode = apply
+```
+
+**Why?**
+- Dry-run validates resources that don't exist yet
+- Shared configmaps/secrets aren't created in dry-run
+- Dependencies between namespaces can't be validated
+
+---
+
+## Workflow Execution Checklist
+
+### Before Running ANY Workflow
+
+- [ ] All required secrets configured
+- [ ] Branch selected correctly
+- [ ] Environment matches branch name
+- [ ] AWS/cloud credentials valid
+- [ ] Previous steps completed successfully
+
+### For Terraform Workflows
+
+- [ ] tfvars file updated with correct values
+- [ ] Cloud provider = `aws`
+- [ ] Backend choice made (`local` or `s3`)
+- [ ] Understand dry-run vs apply
+- [ ] WireGuard configured (for infra deployment)
+
+### For Helmsman Workflows
+
+- [ ] KUBECONFIG secret added
+- [ ] WireGuard cluster access configured
+- [ ] Previous Helmsman steps completed
+- [ ] All pods from previous steps are Running
+- [ ] Mode set to `apply` (not dry-run!)
+- [ ] DSF files updated with correct domains
+
+---
+
+## Visual Workflow Summary
+
+```
+DEPLOYMENT FLOW:
+
+1. Terraform: Base Infrastructure
+ └── Creates VPC, networking, jump server
+ └── PAUSE: Configure WireGuard VPN
+
+2. Terraform: Main Infrastructure
+ └── Creates Kubernetes cluster
+ └── PAUSE: Get KUBECONFIG, add to secrets
+
+3. Helmsman: External Dependencies
+ └── Deploys monitoring, Istio, databases
+ └── ✅ Auto-triggers next step on success
+
+4. Helmsman: MOSIP Services (auto or manual)
+ └── Deploys MOSIP applications
+ └── PAUSE: Verify all pods Running
+
+5. Helmsman: Test Rigs (manual)
+ └── Deploys testing infrastructure
+ └── ✅ Deployment Complete!
+```
+
+---
+
+## Need More Help?
+
+- **Detailed Configurations**: See [DSF Configuration Guide](DSF_CONFIGURATION_GUIDE.md)
+- **Secret Setup**: See [Secret Generation Guide](SECRET_GENERATION_GUIDE.md)
+- **Troubleshooting**: See [Main README Troubleshooting Section](../README.md#troubleshooting-guides)
+- **Report Issues**: Open GitHub issue with workflow logs
+
+---
+
+**Navigation**: [Back to Main README](../README.md) | [View Glossary](GLOSSARY.md)
diff --git a/docs/_images/ARCHITECTURE_DIAGRAMS.md b/docs/_images/ARCHITECTURE_DIAGRAMS.md
index 36858e99..a7918f22 100644
--- a/docs/_images/ARCHITECTURE_DIAGRAMS.md
+++ b/docs/_images/ARCHITECTURE_DIAGRAMS.md
@@ -11,26 +11,26 @@ MOSIP Infrastructure Components (Updated)
========================================
GitHub Actions (Central Orchestration)
- |
- v
+ |
+ v
┌─────────────┬─────────────┬─────────────┐
-│ AWS Cloud │Azure Cloud │ GCP Cloud │
-│ Full Impl │ Placeholder │ Placeholder │
+│ AWS Cloud │Azure Cloud │ GCP Cloud │
+│ Full Impl │ Placeholder │ Placeholder │
└─────────────┴─────────────┴─────────────┘
- | | |
-┌─────┼─────┐ ┌─┼─┐ ┌─┼─┐
-│ │ │ │ │ │ │ │ │
-v v v v v v v v v
-base obs infra base infra base infra
-│ │ │ │ │ │ │
-│ │ │ │ ├──PostgreSQL Module (optional)
-│ │ ├──────┼───┘
-└─────┼─────┘ └───┘ └───┘
- | | |
- v v v
-[State Files] [State Files] [State Files]
-(Branch/Cloud (Branch/Cloud (Branch/Cloud
- Isolated) Isolated) Isolated)
+ | | |
+┌─────┼─────┐ ┌─┼─┐ ┌─┼─┐
+│ │ │ │ │ │ │ │ │
+v v v v v v v v v
+base obs infra base infra base infra
+│ │ │ │ │ │ │
+│ │ │ │ ├──PostgreSQL Module (optional)
+│ │ ├──────┼───┘
+└─────┼─────┘ └───┘ └───┘
+ | | |
+ v v v
+[State Files] [State Files] [State Files]
+(Branch/Cloud (Branch/Cloud (Branch/Cloud
+ Isolated) Isolated) Isolated)
```
### Component Relationships (Updated)
@@ -48,289 +48,289 @@ Terraform Infra Module
├── RKE2 Kubernetes Cluster
├── Node Groups & Networking
└── PostgreSQL Module (Conditional)
- ├── enable_postgresql_setup = true → External PostgreSQL
- │ ├── Dedicated EBS Volume
- │ ├── Ansible Installation Script
- │ └── PostgreSQL 15 Configuration
- └── enable_postgresql_setup = false → Container PostgreSQL via Helmsman
+ ├── enable_postgresql_setup = true → External PostgreSQL
+ │ ├── Dedicated EBS Volume
+ │ ├── Ansible Installation Script
+ │ └── PostgreSQL 15 Configuration
+ └── enable_postgresql_setup = false → Container PostgreSQL via Helmsman
```
## Multi-Cloud Deployment Architecture
```mermaid
graph TB
- subgraph "AWS Deployment"
- subgraph "AWS Base-Infra (One-time)"
- AWS_VPC[VPC 10.0.0.0/16
Public/Private Subnets
Security Groups
WireGuard Jumpserver]
- end
- subgraph "AWS Observ-Infra (Optional)"
- AWS_MON[Management Cluster
Rancher UI + Keycloak
RBAC Integration]
- end
- subgraph "AWS Infra (Multiple)"
- AWS_RKE1[MOSIP Cluster 1
Production Environment
+ External PostgreSQL]
- AWS_RKE2[MOSIP Cluster 2
Staging Environment
+ Optional PostgreSQL]
- end
- AWS_VPC --> AWS_MON
- AWS_VPC --> AWS_RKE1
- AWS_VPC --> AWS_RKE2
- AWS_MON -.->|Import| AWS_RKE1
- AWS_MON -.->|Import| AWS_RKE2
- end
-
- subgraph "Azure Deployment"
- subgraph "Azure Base-Infra (One-time)"
- AZ_VNET[VNet 10.1.0.0/16
Public/Private Subnets
Network Security Groups
WireGuard Jumpserver]
- end
- subgraph "Azure Observ-Infra (Optional)"
- AZ_MON[Management Cluster
Rancher UI + Keycloak
RBAC Integration]
- end
- subgraph "Azure Infra (Multiple)"
- AZ_RKE1[MOSIP Cluster 1
Production Environment
+ External PostgreSQL]
- AZ_RKE2[MOSIP Cluster 2
Staging Environment
+ Optional PostgreSQL]
- end
- AZ_VNET --> AZ_MON
- AZ_VNET --> AZ_RKE1
- AZ_VNET --> AZ_RKE2
- AZ_MON -.->|Import| AZ_RKE1
- AZ_MON -.->|Import| AZ_RKE2
- end
-
- subgraph "GCP Deployment"
- subgraph "GCP Base-Infra (One-time)"
- GCP_VPC[VPC 10.2.0.0/16
Public/Private Subnets
Firewall Rules
WireGuard Jumpserver]
- end
- subgraph "GCP Observ-Infra (Optional)"
- GCP_MON[Management Cluster
Rancher UI + Keycloak
RBAC Integration]
- end
- subgraph "GCP Infra (Multiple)"
- GCP_RKE1[MOSIP Cluster 1
Production Environment
+ External PostgreSQL]
- GCP_RKE2[MOSIP Cluster 2
Staging Environment
+ Optional PostgreSQL]
- end
- GCP_VPC --> GCP_MON
- GCP_VPC --> GCP_RKE1
- GCP_VPC --> GCP_RKE2
- GCP_MON -.->|Import| GCP_RKE1
- GCP_MON -.->|Import| GCP_RKE2
- end
-
- style AWS_VPC fill:#e1f5fe,stroke:#01579b,color:#000000
- style AWS_MON fill:#fff3e0,stroke:#f57c00,color:#000000
- style AWS_RKE1 fill:#f3e5f5,stroke:#4a148c,color:#000000
- style AWS_RKE2 fill:#e8f5e8,stroke:#1b5e20,color:#000000
- style AZ_VNET fill:#e1f5fe,stroke:#01579b,color:#000000
- style AZ_MON fill:#fff3e0,stroke:#f57c00,color:#000000
- style AZ_RKE1 fill:#f3e5f5,stroke:#4a148c,color:#000000
- style AZ_RKE2 fill:#e8f5e8,stroke:#1b5e20,color:#000000
- style GCP_VPC fill:#e1f5fe,stroke:#01579b,color:#000000
- style GCP_MON fill:#fff3e0,stroke:#f57c00,color:#000000
- style GCP_RKE1 fill:#f3e5f5,stroke:#4a148c,color:#000000
- style GCP_RKE2 fill:#e8f5e8,stroke:#1b5e20,color:#000000
+ subgraph "AWS Deployment"
+ subgraph "AWS Base-Infra (One-time)"
+ AWS_VPC[VPC 10.0.0.0/16
Public/Private Subnets
Security Groups
WireGuard Jumpserver]
+ end
+ subgraph "AWS Observ-Infra (Optional)"
+ AWS_MON[Management Cluster
Rancher UI + Keycloak
RBAC Integration]
+ end
+ subgraph "AWS Infra (Multiple)"
+ AWS_RKE1[MOSIP Cluster 1
Production Environment
+ External PostgreSQL]
+ AWS_RKE2[MOSIP Cluster 2
Staging Environment
+ Optional PostgreSQL]
+ end
+ AWS_VPC --> AWS_MON
+ AWS_VPC --> AWS_RKE1
+ AWS_VPC --> AWS_RKE2
+ AWS_MON -.->|Import| AWS_RKE1
+ AWS_MON -.->|Import| AWS_RKE2
+ end
+
+ subgraph "Azure Deployment"
+ subgraph "Azure Base-Infra (One-time)"
+ AZ_VNET[VNet 10.1.0.0/16
Public/Private Subnets
Network Security Groups
WireGuard Jumpserver]
+ end
+ subgraph "Azure Observ-Infra (Optional)"
+ AZ_MON[Management Cluster
Rancher UI + Keycloak
RBAC Integration]
+ end
+ subgraph "Azure Infra (Multiple)"
+ AZ_RKE1[MOSIP Cluster 1
Production Environment
+ External PostgreSQL]
+ AZ_RKE2[MOSIP Cluster 2
Staging Environment
+ Optional PostgreSQL]
+ end
+ AZ_VNET --> AZ_MON
+ AZ_VNET --> AZ_RKE1
+ AZ_VNET --> AZ_RKE2
+ AZ_MON -.->|Import| AZ_RKE1
+ AZ_MON -.->|Import| AZ_RKE2
+ end
+
+ subgraph "GCP Deployment"
+ subgraph "GCP Base-Infra (One-time)"
+ GCP_VPC[VPC 10.2.0.0/16
Public/Private Subnets
Firewall Rules
WireGuard Jumpserver]
+ end
+ subgraph "GCP Observ-Infra (Optional)"
+ GCP_MON[Management Cluster
Rancher UI + Keycloak
RBAC Integration]
+ end
+ subgraph "GCP Infra (Multiple)"
+ GCP_RKE1[MOSIP Cluster 1
Production Environment
+ External PostgreSQL]
+ GCP_RKE2[MOSIP Cluster 2
Staging Environment
+ Optional PostgreSQL]
+ end
+ GCP_VPC --> GCP_MON
+ GCP_VPC --> GCP_RKE1
+ GCP_VPC --> GCP_RKE2
+ GCP_MON -.->|Import| GCP_RKE1
+ GCP_MON -.->|Import| GCP_RKE2
+ end
+
+ style AWS_VPC fill:#e1f5fe,stroke:#01579b,color:#000000
+ style AWS_MON fill:#fff3e0,stroke:#f57c00,color:#000000
+ style AWS_RKE1 fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style AWS_RKE2 fill:#e8f5e8,stroke:#1b5e20,color:#000000
+ style AZ_VNET fill:#e1f5fe,stroke:#01579b,color:#000000
+ style AZ_MON fill:#fff3e0,stroke:#f57c00,color:#000000
+ style AZ_RKE1 fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style AZ_RKE2 fill:#e8f5e8,stroke:#1b5e20,color:#000000
+ style GCP_VPC fill:#e1f5fe,stroke:#01579b,color:#000000
+ style GCP_MON fill:#fff3e0,stroke:#f57c00,color:#000000
+ style GCP_RKE1 fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style GCP_RKE2 fill:#e8f5e8,stroke:#1b5e20,color:#000000
```
## PostgreSQL Integration Architecture (NEW)
```mermaid
graph TD
- A[Terraform Infra Deployment] --> B{enable_postgresql_setup}
-
- B -->|true| C[External PostgreSQL Path]
- B -->|false| D[Container PostgreSQL Path]
-
- C --> E[Provision EBS/Disk Volume]
- E --> F[Create Dedicated PostgreSQL Node]
- F --> G[Execute Ansible PostgreSQL Setup]
- G --> H[Install PostgreSQL 15]
- H --> I[Configure Security & Networking]
- I --> J[Setup Data Directory & Permissions]
- J --> K[Configure PostgreSQL Port 5433]
- K --> L[External PostgreSQL Ready]
-
- D --> M[Skip PostgreSQL Infrastructure]
- M --> N[Configure Helmsman external-dsf.yaml]
- N --> O[Enable PostgreSQL Container Deployment]
- O --> P[Container PostgreSQL via Kubernetes]
-
- L --> Q[Update Helmsman Configuration]
- P --> Q[Update Helmsman Configuration]
-
- Q --> R[postgresql.enabled = false (External)]
- Q --> S[postgresql.enabled = true (Container)]
-
- R --> T[Deploy MOSIP Services]
- S --> T[Deploy MOSIP Services]
-
- T --> U[MOSIP Uses Configured PostgreSQL]
-
- style C fill:#e8f5e8,stroke:#2e7d32,color:#000000
- style D fill:#fff3e0,stroke:#f57c00,color:#000000
- style L fill:#c8e6c9,stroke:#1b5e20,color:#000000
- style P fill:#ffe0b2,stroke:#e65100,color:#000000
+ A[Terraform Infra Deployment] --> B{enable_postgresql_setup}
+
+ B -->|true| C[External PostgreSQL Path]
+ B -->|false| D[Container PostgreSQL Path]
+
+ C --> E[Provision EBS/Disk Volume]
+ E --> F[Create Dedicated PostgreSQL Node]
+ F --> G[Execute Ansible PostgreSQL Setup]
+ G --> H[Install PostgreSQL 15]
+ H --> I[Configure Security & Networking]
+ I --> J[Setup Data Directory & Permissions]
+ J --> K[Configure PostgreSQL Port 5433]
+ K --> L[External PostgreSQL Ready]
+
+ D --> M[Skip PostgreSQL Infrastructure]
+ M --> N[Configure Helmsman external-dsf.yaml]
+ N --> O[Enable PostgreSQL Container Deployment]
+ O --> P[Container PostgreSQL via Kubernetes]
+
+ L --> Q[Update Helmsman Configuration]
+ P --> Q[Update Helmsman Configuration]
+
+ Q --> R[postgresql.enabled = false (External)]
+ Q --> S[postgresql.enabled = true (Container)]
+
+ R --> T[Deploy MOSIP Services]
+ S --> T[Deploy MOSIP Services]
+
+ T --> U[MOSIP Uses Configured PostgreSQL]
+
+ style C fill:#e8f5e8,stroke:#2e7d32,color:#000000
+ style D fill:#fff3e0,stroke:#f57c00,color:#000000
+ style L fill:#c8e6c9,stroke:#1b5e20,color:#000000
+ style P fill:#ffe0b2,stroke:#e65100,color:#000000
```
## Updated Deployment Flow with PostgreSQL
```mermaid
graph TD
- A[1. Deploy base-infra
VPC + WireGuard
One-time setup] --> B{Deploy observ-infra?}
-
- B -->|Yes| C[2. Deploy observ-infra
Rancher + Keycloak]
- B -->|No| D[3. Configure PostgreSQL in Terraform]
-
- C --> D[3. Configure PostgreSQL in Terraform]
-
- D --> E{enable_postgresql_setup?}
-
- E -->|true| F[3a. Set EBS Volume Size
nginx_node_ebs_volume_size_2 = 200]
- E -->|false| G[3b. Plan for Container PostgreSQL]
-
- F --> H[4. Deploy infra via Terraform
RKE2 + PostgreSQL + Networking]
- G --> I[4. Deploy infra via Terraform
RKE2 + Networking only]
-
- H --> J[Terraform Auto-executes:
- Provision PostgreSQL node
- Install via Ansible
- Configure PostgreSQL 15]
- I --> K[PostgreSQL will be containerized]
-
- J --> L[5. Update Helmsman DSF
postgresql.enabled = false]
- K --> M[5. Update Helmsman DSF
postgresql.enabled = true]
-
- L --> N[6. Deploy Prerequisites
Monitoring + Istio + Logging]
- K --> M[6. Deploy Prerequisites
Monitoring + Istio + Logging]
-
- L --> O[6. Deploy External Dependencies (Parallel)
PostgreSQL + MinIO + Keycloak + Kafka]
- K --> P[6. Deploy External Dependencies (Parallel)
PostgreSQL + MinIO + Keycloak + Kafka]
-
- N --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
- O --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
- M --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
- P --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
- P --> Q[9. Optional: Deploy Test Rigs]
- Q --> R[MOSIP Platform Ready]
-
- style F fill:#c8e6c9,stroke:#1b5e20,color:#000000
- style G fill:#ffe0b2,stroke:#e65100,color:#000000
- style H fill:#c8e6c9,stroke:#1b5e20,color:#000000
- style I fill:#ffe0b2,stroke:#e65100,color:#000000
- style J fill:#a5d6a7,stroke:#2e7d32,color:#000000
- style K fill:#ffcc02,stroke:#f57c00,color:#000000
+ A[1. Deploy base-infra
VPC + WireGuard
One-time setup] --> B{Deploy observ-infra?}
+
+ B -->|Yes| C[2. Deploy observ-infra
Rancher + Keycloak]
+ B -->|No| D[3. Configure PostgreSQL in Terraform]
+
+ C --> D[3. Configure PostgreSQL in Terraform]
+
+ D --> E{enable_postgresql_setup?}
+
+ E -->|true| F[3a. Set EBS Volume Size
nginx_node_ebs_volume_size_2 = 200]
+ E -->|false| G[3b. Plan for Container PostgreSQL]
+
+ F --> H[4. Deploy infra via Terraform
RKE2 + PostgreSQL + Networking]
+ G --> I[4. Deploy infra via Terraform
RKE2 + Networking only]
+
+ H --> J[Terraform Auto-executes:
- Provision PostgreSQL node
- Install via Ansible
- Configure PostgreSQL 15]
+ I --> K[PostgreSQL will be containerized]
+
+ J --> L[5. Update Helmsman DSF
postgresql.enabled = false]
+ K --> M[5. Update Helmsman DSF
postgresql.enabled = true]
+
+ L --> N[6. Deploy Prerequisites
Monitoring + Istio + Logging]
+ K --> M[6. Deploy Prerequisites
Monitoring + Istio + Logging]
+
+ L --> O[6. Deploy External Dependencies (Parallel)
PostgreSQL + MinIO + Keycloak + Kafka]
+ K --> P[6. Deploy External Dependencies (Parallel)
PostgreSQL + MinIO + Keycloak + Kafka]
+
+ N --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
+ O --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
+ M --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
+ P --> Q[7. Deploy MOSIP Services
Core services using PostgreSQL]
+ P --> Q[9. Optional: Deploy Test Rigs]
+ Q --> R[MOSIP Platform Ready]
+
+ style F fill:#c8e6c9,stroke:#1b5e20,color:#000000
+ style G fill:#ffe0b2,stroke:#e65100,color:#000000
+ style H fill:#c8e6c9,stroke:#1b5e20,color:#000000
+ style I fill:#ffe0b2,stroke:#e65100,color:#000000
+ style J fill:#a5d6a7,stroke:#2e7d32,color:#000000
+ style K fill:#ffcc02,stroke:#f57c00,color:#000000
## Deployment Flow & Dependencies
```mermaid
graph TD
- A[Start Deployment] --> B{Choose Cloud Provider}
- B -->|AWS| C[AWS Deployment]
- B -->|Azure| D[Azure Deployment]
- B -->|GCP| E[GCP Deployment]
-
- C --> F[1. Deploy base-infra
VPC + WireGuard
One-time setup]
- D --> G[1. Deploy base-infra
VNet + WireGuard
One-time setup]
- E --> H[1. Deploy base-infra
VPC + WireGuard
One-time setup]
-
- F --> I{Deploy observ-infra?}
- G --> J{Deploy observ-infra?}
- H --> K{Deploy observ-infra?}
-
- I -->|Yes| L[2. Deploy observ-infra
Rancher + Keycloak]
- I -->|No| M[3. Deploy infra
RKE2 + NGINX + NFS]
- J -->|Yes| N[2. Deploy observ-infra
Rancher + Keycloak]
- J -->|No| O[3. Deploy infra
RKE2 + NGINX + NFS]
- K -->|Yes| P[2. Deploy observ-infra
Rancher + Keycloak]
- K -->|No| Q[3. Deploy infra
RKE2 + NGINX + NFS]
-
- L --> M
- N --> O
- P --> Q
-
- M --> R[MOSIP Cluster Ready]
- O --> S[MOSIP Cluster Ready]
- Q --> T[MOSIP Cluster Ready]
-
- L -.->|Optional Import| R
- N -.->|Optional Import| S
- P -.->|Optional Import| T
-
- style F fill:#e1f5fe,stroke:#01579b,color:#000000
- style G fill:#e1f5fe,stroke:#01579b,color:#000000
- style H fill:#e1f5fe,stroke:#01579b,color:#000000
- style L fill:#fff3e0,stroke:#f57c00,color:#000000
- style N fill:#fff3e0,stroke:#f57c00,color:#000000
- style P fill:#fff3e0,stroke:#f57c00,color:#000000
- style M fill:#f3e5f5,stroke:#4a148c,color:#000000
- style O fill:#f3e5f5,stroke:#4a148c,color:#000000
- style Q fill:#f3e5f5,stroke:#4a148c,color:#000000
+ A[Start Deployment] --> B{Choose Cloud Provider}
+ B -->|AWS| C[AWS Deployment]
+ B -->|Azure| D[Azure Deployment]
+ B -->|GCP| E[GCP Deployment]
+
+ C --> F[1. Deploy base-infra
VPC + WireGuard
One-time setup]
+ D --> G[1. Deploy base-infra
VNet + WireGuard
One-time setup]
+ E --> H[1. Deploy base-infra
VPC + WireGuard
One-time setup]
+
+ F --> I{Deploy observ-infra?}
+ G --> J{Deploy observ-infra?}
+ H --> K{Deploy observ-infra?}
+
+ I -->|Yes| L[2. Deploy observ-infra
Rancher + Keycloak]
+ I -->|No| M[3. Deploy infra
RKE2 + NGINX + NFS]
+ J -->|Yes| N[2. Deploy observ-infra
Rancher + Keycloak]
+ J -->|No| O[3. Deploy infra
RKE2 + NGINX + NFS]
+ K -->|Yes| P[2. Deploy observ-infra
Rancher + Keycloak]
+ K -->|No| Q[3. Deploy infra
RKE2 + NGINX + NFS]
+
+ L --> M
+ N --> O
+ P --> Q
+
+ M --> R[MOSIP Cluster Ready]
+ O --> S[MOSIP Cluster Ready]
+ Q --> T[MOSIP Cluster Ready]
+
+ L -.->|Optional Import| R
+ N -.->|Optional Import| S
+ P -.->|Optional Import| T
+
+ style F fill:#e1f5fe,stroke:#01579b,color:#000000
+ style G fill:#e1f5fe,stroke:#01579b,color:#000000
+ style H fill:#e1f5fe,stroke:#01579b,color:#000000
+ style L fill:#fff3e0,stroke:#f57c00,color:#000000
+ style N fill:#fff3e0,stroke:#f57c00,color:#000000
+ style P fill:#fff3e0,stroke:#f57c00,color:#000000
+ style M fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style O fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style Q fill:#f3e5f5,stroke:#4a148c,color:#000000
```
## Terraform Module Structure
```mermaid
graph TB
- subgraph "Terraform Directory Structure"
- subgraph "implementations/"
- subgraph "aws/"
- AWS_BASE[base-infra/
Foundation setup]
- AWS_OBS[observ-infra/
Management cluster]
- AWS_INF[infra/
MOSIP clusters]
- end
- subgraph "azure/"
- AZ_BASE[base-infra/
Foundation setup]
- AZ_OBS[observ-infra/
Management cluster]
- AZ_INF[infra/
MOSIP clusters]
- end
- subgraph "gcp/"
- GCP_BASE[base-infra/
Foundation setup]
- GCP_OBS[observ-infra/
Management cluster]
- GCP_INF[infra/
MOSIP clusters]
- end
- end
-
- subgraph "modules/"
- subgraph "AWS Modules"
- AWS_VPC[aws-resource-creation/
VPC, subnets, security]
- AWS_RKE[rke2-cluster/
Kubernetes setup]
- AWS_NGINX[nginx-setup/
Load balancer]
- AWS_NFS[nfs-setup/
Storage]
- end
- subgraph "Azure Modules"
- AZ_VNET[azure-resource-creation/
VNet, NSG, security]
- AZ_RKE[rke2-cluster/
Kubernetes setup]
- AZ_LB[lb-setup/
Load balancer]
- AZ_STOR[storage-setup/
Storage]
- end
- subgraph "GCP Modules"
- GCP_VPC_MOD[gcp-resource-creation/
VPC, firewall]
- GCP_RKE[rke2-cluster/
Kubernetes setup]
- GCP_LB[lb-setup/
Load balancer]
- GCP_STOR[storage-setup/
Storage]
- end
- end
- end
-
- AWS_BASE --> AWS_VPC
- AWS_OBS --> AWS_RKE
- AWS_INF --> AWS_RKE
- AWS_INF --> AWS_NGINX
- AWS_INF --> AWS_NFS
-
- AZ_BASE --> AZ_VNET
- AZ_OBS --> AZ_RKE
- AZ_INF --> AZ_RKE
- AZ_INF --> AZ_LB
- AZ_INF --> AZ_STOR
-
- GCP_BASE --> GCP_VPC_MOD
- GCP_OBS --> GCP_RKE
- GCP_INF --> GCP_RKE
- GCP_INF --> GCP_LB
- GCP_INF --> GCP_STOR
-
- style AWS_BASE fill:#e1f5fe,stroke:#01579b,color:#000000
- style AWS_OBS fill:#fff3e0,stroke:#f57c00,color:#000000
- style AWS_INF fill:#f3e5f5,stroke:#4a148c,color:#000000
- style AZ_BASE fill:#e1f5fe,stroke:#01579b,color:#000000
- style AZ_OBS fill:#fff3e0,stroke:#f57c00,color:#000000
- style AZ_INF fill:#f3e5f5,stroke:#4a148c,color:#000000
- style GCP_BASE fill:#e1f5fe,stroke:#01579b,color:#000000
- style GCP_OBS fill:#fff3e0,stroke:#f57c00,color:#000000
- style GCP_INF fill:#f3e5f5,stroke:#4a148c,color:#000000
+ subgraph "Terraform Directory Structure"
+ subgraph "implementations/"
+ subgraph "aws/"
+ AWS_BASE[base-infra/
Foundation setup]
+ AWS_OBS[observ-infra/
Management cluster]
+ AWS_INF[infra/
MOSIP clusters]
+ end
+ subgraph "azure/"
+ AZ_BASE[base-infra/
Foundation setup]
+ AZ_OBS[observ-infra/
Management cluster]
+ AZ_INF[infra/
MOSIP clusters]
+ end
+ subgraph "gcp/"
+ GCP_BASE[base-infra/
Foundation setup]
+ GCP_OBS[observ-infra/
Management cluster]
+ GCP_INF[infra/
MOSIP clusters]
+ end
+ end
+
+ subgraph "modules/"
+ subgraph "AWS Modules"
+ AWS_VPC[aws-resource-creation/
VPC, subnets, security]
+ AWS_RKE[rke2-cluster/
Kubernetes setup]
+ AWS_NGINX[nginx-setup/
Load balancer]
+ AWS_NFS[nfs-setup/
Storage]
+ end
+ subgraph "Azure Modules"
+ AZ_VNET[azure-resource-creation/
VNet, NSG, security]
+ AZ_RKE[rke2-cluster/
Kubernetes setup]
+ AZ_LB[lb-setup/
Load balancer]
+ AZ_STOR[storage-setup/
Storage]
+ end
+ subgraph "GCP Modules"
+ GCP_VPC_MOD[gcp-resource-creation/
VPC, firewall]
+ GCP_RKE[rke2-cluster/
Kubernetes setup]
+ GCP_LB[lb-setup/
Load balancer]
+ GCP_STOR[storage-setup/
Storage]
+ end
+ end
+ end
+
+ AWS_BASE --> AWS_VPC
+ AWS_OBS --> AWS_RKE
+ AWS_INF --> AWS_RKE
+ AWS_INF --> AWS_NGINX
+ AWS_INF --> AWS_NFS
+
+ AZ_BASE --> AZ_VNET
+ AZ_OBS --> AZ_RKE
+ AZ_INF --> AZ_RKE
+ AZ_INF --> AZ_LB
+ AZ_INF --> AZ_STOR
+
+ GCP_BASE --> GCP_VPC_MOD
+ GCP_OBS --> GCP_RKE
+ GCP_INF --> GCP_RKE
+ GCP_INF --> GCP_LB
+ GCP_INF --> GCP_STOR
+
+ style AWS_BASE fill:#e1f5fe,stroke:#01579b,color:#000000
+ style AWS_OBS fill:#fff3e0,stroke:#f57c00,color:#000000
+ style AWS_INF fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style AZ_BASE fill:#e1f5fe,stroke:#01579b,color:#000000
+ style AZ_OBS fill:#fff3e0,stroke:#f57c00,color:#000000
+ style AZ_INF fill:#f3e5f5,stroke:#4a148c,color:#000000
+ style GCP_BASE fill:#e1f5fe,stroke:#01579b,color:#000000
+ style GCP_OBS fill:#fff3e0,stroke:#f57c00,color:#000000
+ style GCP_INF fill:#f3e5f5,stroke:#4a148c,color:#000000
```
## State File Isolation
@@ -342,15 +342,15 @@ State Management Structure
Production (main branch):
├── mosip-terraform-bucket-main/
-│ ├── aws-base-infra-main-terraform.tfstate
-│ ├── aws-observ-infra-main-terraform.tfstate
-│ ├── aws-infra-main-terraform.tfstate
-│ ├── azure-base-infra-main-terraform.tfstate
-│ ├── azure-observ-infra-main-terraform.tfstate
-│ ├── azure-infra-main-terraform.tfstate
-│ ├── gcp-base-infra-main-terraform.tfstate
-│ ├── gcp-observ-infra-main-terraform.tfstate
-│ └── gcp-infra-main-terraform.tfstate
+│ ├── aws-base-infra-main-terraform.tfstate
+│ ├── aws-observ-infra-main-terraform.tfstate
+│ ├── aws-infra-main-terraform.tfstate
+│ ├── azure-base-infra-main-terraform.tfstate
+│ ├── azure-observ-infra-main-terraform.tfstate
+│ ├── azure-infra-main-terraform.tfstate
+│ ├── gcp-base-infra-main-terraform.tfstate
+│ ├── gcp-observ-infra-main-terraform.tfstate
+│ └── gcp-infra-main-terraform.tfstate
Staging (staging branch):
├── mosip-terraform-bucket-staging/
diff --git a/docs/_images/MOSIP_Terraform_Architecture.drawio b/docs/_images/MOSIP_Terraform_Architecture.drawio
new file mode 100644
index 00000000..2af62cdf
--- /dev/null
+++ b/docs/_images/MOSIP_Terraform_Architecture.drawio
@@ -0,0 +1,264 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/docs/_images/base-infra-terraform-apply.png b/docs/_images/base-infra-terraform-apply.png
new file mode 100644
index 00000000..659368da
Binary files /dev/null and b/docs/_images/base-infra-terraform-apply.png differ
diff --git a/docs/_images/base-infra-terraform-destroy.png b/docs/_images/base-infra-terraform-destroy.png
new file mode 100644
index 00000000..9d5e3eea
Binary files /dev/null and b/docs/_images/base-infra-terraform-destroy.png differ
diff --git a/docs/_images/helmsman-external-services.png b/docs/_images/helmsman-external-services.png
new file mode 100644
index 00000000..f546e228
Binary files /dev/null and b/docs/_images/helmsman-external-services.png differ
diff --git a/docs/_images/helmsman-testrigs.png b/docs/_images/helmsman-testrigs.png
new file mode 100644
index 00000000..10bec4b4
Binary files /dev/null and b/docs/_images/helmsman-testrigs.png differ
diff --git a/docs/_images/infra-terraform-apply.png b/docs/_images/infra-terraform-apply.png
new file mode 100644
index 00000000..7950e437
Binary files /dev/null and b/docs/_images/infra-terraform-apply.png differ
diff --git a/docs/_images/infra-terraform-destroy.png b/docs/_images/infra-terraform-destroy.png
new file mode 100644
index 00000000..b5d2adfb
Binary files /dev/null and b/docs/_images/infra-terraform-destroy.png differ
diff --git a/docs/_images/terraform-light.draw.io.png b/docs/_images/terraform-light.draw.io.png
new file mode 100644
index 00000000..901345f7
Binary files /dev/null and b/docs/_images/terraform-light.draw.io.png differ
diff --git a/docs/_images/updated-Helmsman.drawio.png b/docs/_images/updated-Helmsman.drawio.png
new file mode 100644
index 00000000..0b0ddcd5
Binary files /dev/null and b/docs/_images/updated-Helmsman.drawio.png differ
diff --git a/terraform/README.md b/terraform/README.md
index 3aa24d26..0a5f1cf6 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -1,96 +1,14 @@
# MOSIP Terraform Infrastructure
-
-
-
-
*Terraform-based Infrastructure as Code for MOSIP Platform*
-
-
This directory contains **Terraform code** for deploying MOSIP (Modular Open Source Identity Platform) infrastructure. **Complete implementation is available for AWS**, while **Azure and GCP have placeholder structures** available for community contributions. The architecture separates infrastructure into three distinct components for clear isolation and management.
## Architecture Overview
-**For detailed architecture diagrams and deployment flows, see: [ARCHITECTURE_DIAGRAMS.md](../docs/_images/ARCHITECTURE_DIAGRAMS.md)**
-
-### Three-Component Architecture
-
-
-
-
-
-*Cloud-Agnostic RKE2 Infrastructure Deployment Model*
-
-
-
The MOSIP infrastructure follows a clean three-component architecture with isolated state management using **local backend with GPG encryption**:
-```mermaid
-graph TB
- subgraph "GitHub Actions Orchestration"
- GHA[GitHub Actions
Central Deployment Control]
- end
-
- subgraph "Multi-Cloud Infrastructure"
- subgraph "AWS Cloud"
- AWS_BASE[base-infra
VPC + WireGuard]
- AWS_OBS[observ-infra
Rancher + Keycloak]
- AWS_INFRA[infra
MOSIP K8s Cluster]
- AWS_STATE[(AWS S3
State Files)]
- end
-
- subgraph "Azure Cloud"
- AZ_BASE[base-infra
VNet + WireGuard]
- AZ_OBS[observ-infra
Rancher + Keycloak]
- AZ_INFRA[infra
MOSIP RKE2 Cluster]
- AZ_STATE[(Azure Storage
State Files)]
- end
-
- subgraph "GCP Cloud"
- GCP_BASE[base-infra
VPC + WireGuard]
- GCP_OBS[observ-infra
Rancher + Keycloak]
- GCP_INFRA[infra
MOSIP RKE2 Cluster]
- GCP_STATE[(GCS
State Files)]
- end
- end
-
- GHA --> AWS_BASE
- GHA --> AZ_BASE
- GHA --> GCP_BASE
-
- AWS_BASE --> AWS_OBS
- AWS_BASE --> AWS_INFRA
- AWS_OBS -.->|Import| AWS_INFRA
- AWS_BASE -.-> AWS_STATE
- AWS_OBS -.-> AWS_STATE
- AWS_INFRA -.-> AWS_STATE
-
- AZ_BASE --> AZ_OBS
- AZ_BASE --> AZ_INFRA
- AZ_OBS -.->|Import| AZ_INFRA
- AZ_BASE -.-> AZ_STATE
- AZ_OBS -.-> AZ_STATE
- AZ_INFRA -.-> AZ_STATE
-
- GCP_BASE --> GCP_OBS
- GCP_BASE --> GCP_INFRA
- GCP_OBS -.->|Import| GCP_INFRA
- GCP_BASE -.-> GCP_STATE
- GCP_OBS -.-> GCP_STATE
- GCP_INFRA -.-> GCP_STATE
-
- style GHA fill:#2196F3,stroke:#1976D2,stroke-width:2px,color:#fff
- style AWS_BASE fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000000
- style AWS_OBS fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000000
- style AWS_INFRA fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000000
- style AZ_BASE fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000000
- style AZ_OBS fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000000
- style AZ_INFRA fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000000
- style GCP_BASE fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000000
- style GCP_OBS fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000000
- style GCP_INFRA fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000000
-```
+
**Component Relationships:**
@@ -102,40 +20,40 @@ graph TB
```mermaid
graph TD
- A["terraform/"] --> B["base-infra/"]
- A --> C["infra/"]
- A --> D["observ-infra/"]
- A --> E["modules/"]
- A --> F["implementations/"]
-
- E --> E1["aws/"]
- E --> E2["azure/"]
- E --> E3["gcp/"]
-
- E1 --> E1A["aws-resource-creation/"]
- E1 --> E1B["nginx-setup/"]
- E1 --> E1C["rke2-cluster/"]
- E1 --> E1D["nfs-setup/"]
- E1 --> E1E["postgresql-setup/"]
- E1 --> E1F["rancher-keycloak-setup/"]
-
- F --> F1["aws/"]
- F --> F2["azure/"]
- F --> F3["gcp/"]
-
- F1 --> F1A["base-infra/"]
- F1 --> F1B["infra/"]
- F1 --> F1C["observ-infra/"]
-
- classDef root fill:#2196F3,stroke:#1976D2,stroke-width:2px,color:#fff
- classDef component fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000000
- classDef modules fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px,color:#000000
- classDef impl fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000000
-
- class A root
- class B,C,D component
- class E,E1,E2,E3,E1A,E1B,E1C,E1D,E1E,E1F modules
- class F,F1,F2,F3,F1A,F1B,F1C impl
+ A["terraform/"] --> B["base-infra/"]
+ A --> C["infra/"]
+ A --> D["observ-infra/"]
+ A --> E["modules/"]
+ A --> F["implementations/"]
+
+ E --> E1["aws/"]
+ E --> E2["azure/"]
+ E --> E3["gcp/"]
+
+ E1 --> E1A["aws-resource-creation/"]
+ E1 --> E1B["nginx-setup/"]
+ E1 --> E1C["rke2-cluster/"]
+ E1 --> E1D["nfs-setup/"]
+ E1 --> E1E["postgresql-setup/"]
+ E1 --> E1F["rancher-keycloak-setup/"]
+
+ F --> F1["aws/"]
+ F --> F2["azure/"]
+ F --> F3["gcp/"]
+
+ F1 --> F1A["base-infra/"]
+ F1 --> F1B["infra/"]
+ F1 --> F1C["observ-infra/"]
+
+ classDef root fill:#2196F3,stroke:#1976D2,stroke-width:2px,color:#fff
+ classDef component fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000000
+ classDef modules fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px,color:#000000
+ classDef impl fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000000
+
+ class A root
+ class B,C,D component
+ class E,E1,E2,E3,E1A,E1B,E1C,E1D,E1E,E1F modules
+ class F,F1,F2,F3,F1A,F1B,F1C impl
```
**Color Legend:**
@@ -178,34 +96,34 @@ graph TD
```mermaid
sequenceDiagram
- participant User
- participant GitHub Actions
- participant Cloud Provider
- participant Terraform State
-
- Note over User,Terraform State: Phase 1: Base Infrastructure (One-time)
- User->>GitHub Actions: Trigger terraform.yml
(base-infra)
- GitHub Actions->>Cloud Provider: Deploy VPC, Jumpserver, WireGuard
- Cloud Provider-->>Terraform State: Store base-infra state
- GitHub Actions-->>User: Base infrastructure ready
-
- Note over User,Terraform State: Phase 2: MOSIP Infrastructure (Repeatable)
- User->>GitHub Actions: Trigger terraform.yml
(infra)
- GitHub Actions->>Cloud Provider: Deploy K8s for MOSIP core/external services
- Cloud Provider-->>Terraform State: Store infra state
- GitHub Actions-->>User: MOSIP infrastructure ready
-
- Note over User,Terraform State: Phase 3: Observation Infrastructure (Independent)
- User->>GitHub Actions: Trigger terraform.yml
(observ-infra)
- GitHub Actions->>Cloud Provider: Deploy K8s for Rancher UI, Keycloak
- Cloud Provider-->>Terraform State: Store observ-infra state
- GitHub Actions-->>User: Observation infrastructure ready
-
- Note over User,Terraform State: Phase 4: Safe Destruction (When needed)
- User->>GitHub Actions: Trigger terraform-destroy.yml
(infra or observ-infra)
- GitHub Actions->>Cloud Provider: Destroy selected resources
- Cloud Provider-->>Terraform State: Clear selected state
- GitHub Actions-->>User: Resources destroyed, base intact
+ participant User
+ participant GitHub Actions
+ participant Cloud Provider
+ participant Terraform State
+
+ Note over User,Terraform State: Phase 1: Base Infrastructure (One-time)
+ User->>GitHub Actions: Trigger terraform.yml
(base-infra)
+ GitHub Actions->>Cloud Provider: Deploy VPC, Jumpserver, WireGuard
+ Cloud Provider-->>Terraform State: Store base-infra state
+ GitHub Actions-->>User: Base infrastructure ready
+
+ Note over User,Terraform State: Phase 2: MOSIP Infrastructure (Repeatable)
+ User->>GitHub Actions: Trigger terraform.yml
(infra)
+ GitHub Actions->>Cloud Provider: Deploy K8s for MOSIP core/external services
+ Cloud Provider-->>Terraform State: Store infra state
+ GitHub Actions-->>User: MOSIP infrastructure ready
+
+ Note over User,Terraform State: Phase 3: Observation Infrastructure (Independent)
+ User->>GitHub Actions: Trigger terraform.yml
(observ-infra)
+ GitHub Actions->>Cloud Provider: Deploy K8s for Rancher UI, Keycloak
+ Cloud Provider-->>Terraform State: Store observ-infra state
+ GitHub Actions-->>User: Observation infrastructure ready
+
+ Note over User,Terraform State: Phase 4: Safe Destruction (When needed)
+ User->>GitHub Actions: Trigger terraform-destroy.yml
(infra or observ-infra)
+ GitHub Actions->>Cloud Provider: Destroy selected resources
+ Cloud Provider-->>Terraform State: Clear selected state
+ GitHub Actions-->>User: Resources destroyed, base intact
```
## Quick Start Guide
@@ -213,50 +131,50 @@ sequenceDiagram
### Prerequisites
1. **GitHub Secrets Configuration** (per cloud):
- ```yaml
- # AWS (Complete Implementation)
- AWS_ACCESS_KEY_ID: your-aws-access-key
- AWS_SECRET_ACCESS_KEY: your-aws-secret-key
-
- # Azure (Placeholder Implementation)
- AZURE_CLIENT_ID: your-azure-client-id
- AZURE_CLIENT_SECRET: your-azure-client-secret
- AZURE_SUBSCRIPTION_ID: your-azure-subscription-id
- AZURE_TENANT_ID: your-azure-tenant-id
-
- # GCP (Placeholder Implementation)
- GOOGLE_CREDENTIALS: your-gcp-service-account-json
-
- # Common Requirements
- YOUR_SSH_KEY_NAME: your-ssh-private-key-content
- WG_CONFIG: wireguard-configuration
-
- # GPG Encryption (Required for State Management)
- GPG_PRIVATE_KEY: |
- -----BEGIN PGP PRIVATE KEY BLOCK-----
- your-gpg-private-key-content
- -----END PGP PRIVATE KEY BLOCK-----
-
- # Optional
- SLACK_WEBHOOK_URL: slack-webhook-for-notifications
- ```
+ ```yaml
+ # AWS (Complete Implementation)
+ AWS_ACCESS_KEY_ID: your-aws-access-key
+ AWS_SECRET_ACCESS_KEY: your-aws-secret-key
+
+ # Azure (Placeholder Implementation)
+ AZURE_CLIENT_ID: your-azure-client-id
+ AZURE_CLIENT_SECRET: your-azure-client-secret
+ AZURE_SUBSCRIPTION_ID: your-azure-subscription-id
+ AZURE_TENANT_ID: your-azure-tenant-id
+
+ # GCP (Placeholder Implementation)
+ GOOGLE_CREDENTIALS: your-gcp-service-account-json
+
+ # Common Requirements
+ YOUR_SSH_KEY_NAME: your-ssh-private-key-content
+ WG_CONFIG: wireguard-configuration
+
+ # GPG Encryption (Required for State Management)
+ GPG_PRIVATE_KEY: |
+ -----BEGIN PGP PRIVATE KEY BLOCK-----
+ your-gpg-private-key-content
+ -----END PGP PRIVATE KEY BLOCK-----
+
+ # Optional
+ SLACK_WEBHOOK_URL: slack-webhook-for-notifications
+ ```
2. **GPG Key Setup** (for state file encryption):
- ```bash
- # Generate GPG key pair (if you don't have one)
- gpg --full-generate-key
-
- # Export private key for GitHub secret
- gpg --armor --export-secret-keys your-key-id
-
- # Export public key (for team sharing)
- gpg --armor --export your-key-id
- ```
+ ```bash
+ # Generate GPG key pair (if you don't have one)
+ gpg --full-generate-key
+
+ # Export private key for GitHub secret
+ gpg --armor --export-secret-keys your-key-id
+
+ # Export public key (for team sharing)
+ gpg --armor --export your-key-id
+ ```
3. **No Remote State Storage Required**:
- - **Local Backend**: State files encrypted with GPG and stored in repository
- - **No S3/Azure Storage/GCS needed**: Eliminates remote storage dependencies
- - **Enhanced Security**: GPG encryption provides better access control than cloud storage
+ - **Local Backend**: State files encrypted with GPG and stored in repository
+ - **No S3/Azure Storage/GCS needed**: Eliminates remote storage dependencies
+ - **Enhanced Security**: GPG encryption provides better access control than cloud storage
### Step 1: Deploy Base Infrastructure
@@ -264,34 +182,34 @@ sequenceDiagram
# Via GitHub Actions UI:
# 1. Go to Actions → terraform plan / apply
# 2. Select:
-# - CLOUD_PROVIDER: aws
-# - TERRAFORM_COMPONENT: base-infra
-# - SSH_PRIVATE_KEY: YOUR_SSH_KEY_NAME
-# - TERRAFORM_APPLY: true
+# - CLOUD_PROVIDER: aws
+# - TERRAFORM_COMPONENT: base-infra
+# - SSH_PRIVATE_KEY: YOUR_SSH_KEY_NAME
+# - TERRAFORM_APPLY: true
```
### Step 2: Deploy MOSIP Infrastructure
```bash
# Via GitHub Actions UI:
-# 1. Go to Actions → terraform plan / apply
+# 1. Go to Actions → terraform plan / apply
# 2. Select:
-# - CLOUD_PROVIDER: aws
-# - TERRAFORM_COMPONENT: infra
-# - SSH_PRIVATE_KEY: YOUR_SSH_KEY_NAME
-# - TERRAFORM_APPLY: true
+# - CLOUD_PROVIDER: aws
+# - TERRAFORM_COMPONENT: infra
+# - SSH_PRIVATE_KEY: YOUR_SSH_KEY_NAME
+# - TERRAFORM_APPLY: true
```
### Step 3: Deploy Observation Infrastructure (Optional)
```bash
# Via GitHub Actions UI:
-# 1. Go to Actions → terraform plan / apply
+# 1. Go to Actions → terraform plan / apply
# 2. Select:
-# - CLOUD_PROVIDER: aws
-# - TERRAFORM_COMPONENT: observ-infra
-# - SSH_PRIVATE_KEY: YOUR_SSH_KEY_NAME
-# - TERRAFORM_APPLY: true
+# - CLOUD_PROVIDER: aws
+# - TERRAFORM_COMPONENT: observ-infra
+# - SSH_PRIVATE_KEY: YOUR_SSH_KEY_NAME
+# - TERRAFORM_APPLY: true
```
### Step 4: Access Your MOSIP Deployment
@@ -300,88 +218,63 @@ After successful deployment, access your MOSIP services:
```bash
# MOSIP Services (from infra)
-https://your-domain.mosip.net # MOSIP Landing Page
-https://api.your-domain.mosip.net # API Gateway
-https://admin.your-domain.mosip.net # Admin Console
+https://your-domain.mosip.net # MOSIP Landing Page
+https://api.your-domain.mosip.net # API Gateway
+https://admin.your-domain.mosip.net # Admin Console
# Observation Services (from observ-infra)
-https://rancher.your-domain.mosip.net # Rancher UI
-https://keycloak.your-domain.mosip.net # Keycloak Management
+https://rancher.your-domain.mosip.net # Rancher UI
+https://keycloak.your-domain.mosip.net # Keycloak Management
```
-## Directory Structure
+### Infrastructure Layer (Terraform)
```
terraform/
-├── README.md # This file
-├── base-infra/ # Foundational infrastructure
-│ ├── main.tf # Cloud selector for base infrastructure
-│ ├── variables.tf # Common base infrastructure variables
-│ ├── outputs.tf # Common base infrastructure outputs
-│ ├── aws/ # AWS base infrastructure
-│ │ ├── main.tf # AWS VPC, subnets, jumpserver, WireGuard
-│ │ ├── variables.tf # AWS-specific base variables
-│ │ └── outputs.tf # AWS base infrastructure outputs
-│ ├── azure/ # Azure base infrastructure (placeholder)
-│ └── gcp/ # GCP base infrastructure (placeholder)
-├── infra/ # MOSIP infrastructure interface
-│ ├── main.tf # Cloud selector for MOSIP infrastructure
-│ ├── variables.tf # Common MOSIP variables
-│ ├── outputs.tf # Common MOSIP outputs
-│ ├── aws/ # AWS MOSIP infrastructure interface
-│ │ ├── main.tf # Calls AWS modules for MOSIP services
-│ │ ├── variables.tf # AWS-specific MOSIP variables
-│ │ └── outputs.tf # AWS MOSIP outputs
-│ ├── azure/ # Azure MOSIP infrastructure (placeholder)
-│ └── gcp/ # GCP MOSIP infrastructure (placeholder)
-├── observ-infra/ # Observation infrastructure interface
-│ ├── main.tf # Cloud selector for observation infrastructure
-│ ├── variables.tf # Common observation variables
-│ ├── outputs.tf # Common observation outputs
-│ ├── aws/ # AWS observation infrastructure interface
-│ │ ├── main.tf # Calls AWS modules for Rancher UI, Keycloak
-│ │ ├── variables.tf # AWS-specific observation variables
-│ │ └── outputs.tf # AWS observation outputs
-│ ├── azure/ # Azure observation infrastructure (placeholder)
-│ └── gcp/ # GCP observation infrastructure (placeholder)
-├── modules/ # Reusable infrastructure modules
-│ ├── aws/ # AWS-specific modules
-│ │ ├── main.tf # AWS module interface
-│ │ ├── variables.tf # AWS module variables
-│ │ ├── outputs.tf # AWS module outputs
-│ │ ├── aws-resource-creation/ # Core AWS resources
-│ │ ├── nginx-setup/ # NGINX load balancer setup
-│ │ ├── rke2-cluster/ # RKE2 Kubernetes cluster
-│ │ ├── nfs-setup/ # NFS storage setup
-│ │ ├── postgresql-setup/ # External PostgreSQL 15 database setup
-│ │ └── rancher-keycloak-setup/ # Rancher UI + Keycloak integration
-│ ├── azure/ # Azure modules (placeholder)
-│ └── gcp/ # GCP modules (placeholder)
-├── implementations/ # Deployable configurations
-│ ├── aws/ # AWS implementations
-│ │ ├── base-infra/ # AWS base infrastructure deployment
-│ │ │ ├── main.tf # Points to base-infra/aws
-│ │ │ ├── variables.tf # AWS base configuration
-│ │ │ ├── outputs.tf # AWS base outputs
-│ │ │ └── aws.tfvars # AWS base configuration values
-│ │ ├── infra/ # AWS MOSIP infrastructure deployment
-│ │ │ ├── main.tf # Points to infra/aws
-│ │ │ ├── variables.tf # AWS MOSIP configuration
-│ │ │ ├── outputs.tf # AWS MOSIP outputs
-│ │ │ └── aws.tfvars # AWS MOSIP configuration values
-│ │ └── observ-infra/ # AWS observation infrastructure deployment
-│ │ ├── main.tf # Points to observ-infra/aws
-│ │ ├── variables.tf # AWS observation configuration
-│ │ ├── outputs.tf # AWS observation outputs
-│ │ └── aws.tfvars # AWS observation configuration values
-│ ├── azure/ # Azure implementations
-│ │ ├── base-infra/ # Azure base infrastructure
-│ │ ├── infra/ # Azure MOSIP infrastructure
-│ │ └── observ-infra/ # Azure observation infrastructure
-│ └── gcp/ # GCP implementations
-│ ├── base-infra/ # GCP base infrastructure
-│ ├── infra/ # GCP MOSIP infrastructure
-│ └── observ-infra/ # GCP observation infrastructure
+├── base-infra/ # Foundation infrastructure (VPC, networking, security)
+├── observ-infra/ # Management cluster with Rancher UI (Optional)
+├── infra/ # MOSIP Kubernetes clusters
+├── modules/ # Reusable Terraform modules
+│ ├── aws/ # AWS-specific modules
+│ │ ├── aws-resource-creation/ # VPC, subnets, security groups, EC2 instances
+│ │ ├── nginx-setup/ # Load balancer and reverse proxy configuration
+│ │ ├── postgresql-setup/ # PostgreSQL database setup and configuration
+│ │ ├── rke2-cluster/ # RKE2 Kubernetes cluster provisioning
+│ │ ├── rancher-keycloak-setup/ # Identity management and SSO setup
+│ │ └── nfs-setup/ # Network File System configuration
+│ ├── azure/ # Azure-specific modules (placeholder - community contributions needed)
+│ └── gcp/ # GCP-specific modules (placeholder - community contributions needed)
+└── implementations/ # Cloud-specific implementations
+ ├── aws/ # AWS deployment configurations
+ ├── azure/ # Azure deployment configurations
+ └── gcp/ # GCP deployment configurations
+```
+
+### Application Layer (Helmsman)
+
+```
+Helmsman/
+├── dsf/ # Desired State Files for deployments
+│ ├── prereq-dsf.yaml # Prerequisites (monitoring, Istio, logging)
+│ ├── external-dsf.yaml # External dependencies (PostgreSQL, Keycloak, MinIO, ActiveMQ, Kafka, etc.)
+│ ├── mosip-dsf.yaml # MOSIP core services
+│ └── testrigs-dsf.yaml # Testing suite (API, DSL, UI test rigs)
+├── hooks/ # Scripts needed for automated deployment
+└── utils/ # Utilities and configurations
+ ├── istio-addons/ # Service mesh components
+ ├── logging/ # Logging stack configurations (optional)
+ └── monitoring/ # Monitoring and alerting setup (optional)
+```
+
+### Automation Layer (GitHub Actions)
+
+```
+.github/workflows/
+├── terraform.yml # Infrastructure provisioning workflow
+├── terraform-destroy.yml # Infrastructure cleanup workflow
+├── helmsman_external.yml # External dependencies deployment
+├── helmsman_mosip.yml # MOSIP core services deployment
+└── helmsman_testrigs.yml # Testing infrastructure deployment
```
## State Management
@@ -396,17 +289,17 @@ Encrypted State Management
Local State Files (Encrypted with GPG):
├── .terraform-state/
-│ ├── aws-base-infra-testgrid-terraform.tfstate.gpg ← Encrypted
-│ ├── aws-infra-testgrid-terraform.tfstate.gpg ← Encrypted
-│ └── aws-observ-infra-testgrid-terraform.tfstate.gpg ← Encrypted
+│ ├── aws-base-infra-testgrid-terraform.tfstate.gpg ← Encrypted
+│ ├── aws-infra-testgrid-terraform.tfstate.gpg ← Encrypted
+│ └── aws-observ-infra-testgrid-terraform.tfstate.gpg ← Encrypted
Temporary Decrypted Files (During Operations):
├── terraform/base-infra/
-│ └── aws-base-infra-testgrid-terraform.tfstate ← Temporary
+│ └── aws-base-infra-testgrid-terraform.tfstate ← Temporary
├── terraform/infra/
-│ └── aws-infra-testgrid-terraform.tfstate ← Temporary
+│ └── aws-infra-testgrid-terraform.tfstate ← Temporary
└── terraform/observ-infra/
- └── aws-observ-infra-testgrid-terraform.tfstate ← Temporary
+ └── aws-observ-infra-testgrid-terraform.tfstate ← Temporary
```
### GPG Encryption Benefits
@@ -424,10 +317,10 @@ State files use descriptive naming pattern: `{provider}-{component}-{branch}-ter
```
Examples:
-├── aws-base-infra-main-terraform.tfstate.gpg # Production base infrastructure
-├── aws-infra-staging-terraform.tfstate.gpg # Staging MOSIP cluster
+├── aws-base-infra-main-terraform.tfstate.gpg # Production base infrastructure
+├── aws-infra-staging-terraform.tfstate.gpg # Staging MOSIP cluster
├── aws-observ-infra-development-terraform.tfstate.gpg # Dev monitoring cluster
-└── azure-infra-testgrid-terraform.tfstate.gpg # Test environment
+└── azure-infra-testgrid-terraform.tfstate.gpg # Test environment
```
### Isolated State Files
@@ -439,25 +332,25 @@ Encrypted State File Isolation Structure
=========================================
AWS Encrypted States (.gpg files):
-├── aws-base-infra-{branch}-terraform.tfstate.gpg (VPC, Jumpserver, WireGuard)
-├── aws-infra-{branch}-terraform.tfstate.gpg (K8s for MOSIP Core/External)
-└── aws-observ-infra-{branch}-terraform.tfstate.gpg (K8s for Rancher UI, Keycloak)
+├── aws-base-infra-{branch}-terraform.tfstate.gpg (VPC, Jumpserver, WireGuard)
+├── aws-infra-{branch}-terraform.tfstate.gpg (K8s for MOSIP Core/External)
+└── aws-observ-infra-{branch}-terraform.tfstate.gpg (K8s for Rancher UI, Keycloak)
Azure Encrypted States (.gpg files):
-├── azure-base-infra-{branch}-terraform.tfstate.gpg (VNet, Jumpserver, WireGuard)
-├── azure-infra-{branch}-terraform.tfstate.gpg (RKE2 for MOSIP Core/External)
+├── azure-base-infra-{branch}-terraform.tfstate.gpg (VNet, Jumpserver, WireGuard)
+├── azure-infra-{branch}-terraform.tfstate.gpg (RKE2 for MOSIP Core/External)
└── azure-observ-infra-{branch}-terraform.tfstate.gpg (RKE2 for Rancher UI, Keycloak)
GCP Encrypted States (.gpg files):
-├── gcp-base-infra-{branch}-terraform.tfstate.gpg (VPC, Jumpserver, WireGuard)
-├── gcp-infra-{branch}-terraform.tfstate.gpg (RKE2 for MOSIP Core/External)
-└── gcp-observ-infra-{branch}-terraform.tfstate.gpg (RKE2 for Rancher UI, Keycloak)
+├── gcp-base-infra-{branch}-terraform.tfstate.gpg (VPC, Jumpserver, WireGuard)
+├── gcp-infra-{branch}-terraform.tfstate.gpg (RKE2 for MOSIP Core/External)
+└── gcp-observ-infra-{branch}-terraform.tfstate.gpg (RKE2 for Rancher UI, Keycloak)
```
### Benefits of GPG Encrypted Isolated States
- **Enhanced Security**: All state files encrypted before storage
-- **Branch Isolation**: Each branch has separate encrypted state files
+- **Branch Isolation**: Each branch has separate encrypted state files
- **No Cloud Dependencies**: No need for S3/Azure Storage/GCS setup
- **Access Control**: Only users with GPG private key can decrypt states
- **Git-Safe Storage**: Encrypted states safely committed to repository
@@ -547,7 +440,7 @@ Deployment Sequence:
terraform.yml → CLOUD_PROVIDER: aws, TERRAFORM_COMPONENT: base-infra
terraform.yml → CLOUD_PROVIDER: aws, TERRAFORM_COMPONENT: infra
-# Deploy to Azure
+# Deploy to Azure
terraform.yml → CLOUD_PROVIDER: azure, TERRAFORM_COMPONENT: base-infra
terraform.yml → CLOUD_PROVIDER: azure, TERRAFORM_COMPONENT: infra
@@ -563,10 +456,10 @@ Create multiple environments by duplicating implementation directories:
```
implementations/
├── aws/
-│ ├── base-infra/ # Shared base infrastructure
-│ ├── infra-prod/ # Production environment
-│ ├── infra-staging/ # Staging environment
-│ └── infra-dev/ # Development environment
+│ ├── base-infra/ # Shared base infrastructure
+│ ├── infra-prod/ # Production environment
+│ ├── infra-staging/ # Staging environment
+│ └── infra-dev/ # Development environment
```
### Custom Module Development
@@ -576,10 +469,10 @@ Add new modules following the established pattern:
```
modules/
├── aws/
-│ ├── your-custom-module/
-│ │ ├── main.tf
-│ │ ├── variables.tf
-│ │ └── outputs.tf
+│ ├── your-custom-module/
+│ │ ├── main.tf
+│ │ ├── variables.tf
+│ │ └── outputs.tf
```
## Troubleshooting
@@ -588,25 +481,25 @@ modules/
1. **State File Conflicts**
- ```
- Error: Resource already exists in state
- ```
+ ```
+ Error: Resource already exists in state
+ ```
- **Solution**: Ensure you're not mixing old and new directory structures
+ **Solution**: Ensure you're not mixing old and new directory structures
2. **Backend Configuration Issues**
- ```
- Error: Backend configuration changed
- ```
+ ```
+ Error: Backend configuration changed
+ ```
- **Solution**: Run `terraform init -reconfigure` in the implementation directory
+ **Solution**: Run `terraform init -reconfigure` in the implementation directory
3. **Missing Dependencies**
- ```
- Error: base-infra resources not found
- ```
+ ```
+ Error: base-infra resources not found
+ ```
- **Solution**: Deploy base-infra before application infrastructure
+ **Solution**: Deploy base-infra before application infrastructure
### Debugging Tips
diff --git a/terraform/base-infra/WIREGUARD_SETUP.md b/terraform/base-infra/WIREGUARD_SETUP.md
index dcd2c36c..a395de38 100644
--- a/terraform/base-infra/WIREGUARD_SETUP.md
+++ b/terraform/base-infra/WIREGUARD_SETUP.md
@@ -37,7 +37,7 @@ ls
**Expected output:**
```
-peer1/ peer2/ peer3/ peer4/ peer5/ ...
+peer1/ peer2/ peer3/ peer4/ peer5/ ...
```
### Step 3: Assign and Configure a Peer
@@ -52,7 +52,7 @@ nano assigned.txt
**Example assigned.txt content:**
```
peer1 : john.doe
-peer2 : jane.smith
+peer2 : jane.smith
peer3 : admin.user
peer4 : available
peer5 : available
@@ -88,12 +88,12 @@ AllowedIPs = 0.0.0.0/0
[Interface]
PrivateKey =
Address = 10.0.1.4/24
-# DNS = 1.1.1.1 <-- DELETE THIS LINE
+# DNS = 1.1.1.1 <-- DELETE THIS LINE
[Peer]
PublicKey =
Endpoint = :51820
-AllowedIPs = 10.10.20.0/23 # <-- UPDATE TO YOUR SUBNET CIDR
+AllowedIPs = 10.10.20.0/23 # <-- UPDATE TO YOUR SUBNET CIDR
```
**Required Changes:**
@@ -178,19 +178,19 @@ After setting up WireGuard, you need to create **multiple peer configurations**
#### Required Peer Configurations
1. **Create Multiple Peers:**
- ```bash
- # Configure peer1 for Terraform access
- cd /home/ubuntu/wireguard/config/peer1
- nano peer1.conf
-
- # Configure peer2 for Helmsman access
- cd /home/ubuntu/wireguard/config/peer2
- nano peer2.conf
- ```
+ ```bash
+ # Configure peer1 for Terraform access
+ cd /home/ubuntu/wireguard/config/peer1
+ nano peer1.conf
+
+ # Configure peer2 for Helmsman access
+ cd /home/ubuntu/wireguard/config/peer2
+ nano peer2.conf
+ ```
2. **Apply Same Configuration Changes to Both Peers:**
- - Delete the DNS IP line
- - Update AllowedIPs to your subnet CIDR (e.g., `10.10.20.0/23`)
+ - Delete the DNS IP line
+ - Update AllowedIPs to your subnet CIDR (e.g., `10.10.20.0/23`)
#### GitHub Environment Secrets Setup
@@ -200,27 +200,27 @@ After setting up WireGuard, you need to create **multiple peer configurations**
**Add the following Environment Secrets:**
1. **TF_WG_CONFIG Secret:**
- - Name: `TF_WG_CONFIG`
- - Value: Contents of `peer1.conf`
- - Purpose: Terraform infrastructure deployments via private IPs
+ - Name: `TF_WG_CONFIG`
+ - Value: Contents of `peer1.conf`
+ - Purpose: Terraform infrastructure deployments via private IPs
2. **CLUSTER_WIREGUARD_WG0 Secret:**
- - Name: `CLUSTER_WIREGUARD_WG0`
- - Value: Contents of `peer1.conf`
- - Purpose: Helmsman cluster access (primary connection)
+ - Name: `CLUSTER_WIREGUARD_WG0`
+ - Value: Contents of `peer1.conf`
+ - Purpose: Helmsman cluster access (primary connection)
3. **CLUSTER_WIREGUARD_WG1 Secret:**
- - Name: `CLUSTER_WIREGUARD_WG1`
- - Value: Contents of `peer2.conf`
- - Purpose: Helmsman cluster access (secondary connection)
+ - Name: `CLUSTER_WIREGUARD_WG1`
+ - Value: Contents of `peer2.conf`
+ - Purpose: Helmsman cluster access (secondary connection)
#### Secret Configuration Summary
```yaml
# Required Environment Secrets for WireGuard Access
-TF_WG_CONFIG: "" # Terraform workflows
-CLUSTER_WIREGUARD_WG0: "" # Helmsman primary
-CLUSTER_WIREGUARD_WG1: "" # Helmsman secondary
+TF_WG_CONFIG: "" # Terraform workflows
+CLUSTER_WIREGUARD_WG0: "" # Helmsman primary
+CLUSTER_WIREGUARD_WG1: "" # Helmsman secondary
```
#### Purpose of Multiple Configurations
diff --git a/terraform/modules/aws/README.md b/terraform/modules/aws/README.md
index 8dbc8517..59d2ba33 100644
--- a/terraform/modules/aws/README.md
+++ b/terraform/modules/aws/README.md
@@ -9,72 +9,72 @@ The infrastructure consists of four key components:
1. **AWS Resource Creation:**
- * This component is responsible for creating all the necessary AWS infrastructure that other components depend on. It sets up:
- * AWS Security Groups to control network traffic.
- * IAM roles and policies are used to grant permission to the Nginx EC2 instance to update DNS records for certbot validation in order to generate an SSL certificate.
- * EC2 Instances for Nginx load balancer, Kubernetes Control Plane, ETCD, and Worker nodes.
- * DNS Records (Route53) for domain name resolution.
+ * This component is responsible for creating all the necessary AWS infrastructure that other components depend on. It sets up:
+ * AWS Security Groups to control network traffic.
+ * IAM roles and policies are used to grant permission to the Nginx EC2 instance to update DNS records for certbot validation in order to generate an SSL certificate.
+ * EC2 Instances for Nginx load balancer, Kubernetes Control Plane, ETCD, and Worker nodes.
+ * DNS Records (Route53) for domain name resolution.
2. **NGINX setup:**
- * The NGINX setup component is responsible for deploying an NGINX server and updating its configuration file to act as a load balancer.
- * This ensures that external traffic can be routed to Istio node ports, which then route the request to the services running on the Kubernetes cluster.
+ * The NGINX setup component is responsible for deploying an NGINX server and updating its configuration file to act as a load balancer.
+ * This ensures that external traffic can be routed to Istio node ports, which then route the request to the services running on the Kubernetes cluster.
3. **RKE2 Setup**
- * This component focuses on deploying the `Rancher Kubernetes Engine 2 (RKE2) cluster` and importing it into the `Rancher UI` dashboard.
- * It also handles downloading necessary files such as the `kubectl` binary and `kubeconfig` file from the control plane nodes, using the infrastructure provisioned by the AWS component. It manages:
+ * This component focuses on deploying the `Rancher Kubernetes Engine 2 (RKE2) cluster` and importing it into the `Rancher UI` dashboard.
+ * It also handles downloading necessary files such as the `kubectl` binary and `kubeconfig` file from the control plane nodes, using the infrastructure provisioned by the AWS component. It manages:
4. **NFS Setup**
- * The NFS setup component provides shared file storage for the Kubernetes cluster. This involves:
- * **NFS Server Setup** for hosting the storage.
- * **NFS Client Configuration** for enabling Kubernetes workloads to use NFS volumes as storage class.
- * By default, the Nginx node is used as the NFS server.
- If you wish to designate a separate node for this purpose, please update the following variables in the `main.tf` file for the `nfs-setup` module:
- * `NFS_SERVER_LOCATION`
- * `NFS_SERVER`
- * `SSH_PRIVATE_KEY`
+ * The NFS setup component provides shared file storage for the Kubernetes cluster. This involves:
+ * **NFS Server Setup** for hosting the storage.
+ * **NFS Client Configuration** for enabling Kubernetes workloads to use NFS volumes as storage class.
+ * By default, the Nginx node is used as the NFS server.
+ If you wish to designate a separate node for this purpose, please update the following variables in the `main.tf` file for the `nfs-setup` module:
+ * `NFS_SERVER_LOCATION`
+ * `NFS_SERVER`
+ * `SSH_PRIVATE_KEY`
## Create MOSIP Infrastructure
### Prerequisites
* Import `infra` repository to your GitHub account and set its visibility to private to ensure confidentiality.
- - Go to the repository URL and click "Use this template" or "Fork"
- - Set repository visibility to "Private"
- - Import may take some time to prepare the repository
+ - Go to the repository URL and click "Use this template" or "Fork"
+ - Set repository visibility to "Private"
+ - Import may take some time to prepare the repository
* Create a new branch `env-` from master branch.
* Goto `terraform/` location and update environment related details in `env.tfvars` file.
- * `CLUSTER_NAME`: The name of the Kubernetes cluster.Example: `sandbox`
- * `CLUSTER_ENV_DOMAIN`: The domain name for MOSIP.Example: `sandbox.xyz.net`
- * `MOSIP_EMAIL_ID`: The email address used by Certbot to send SSL certificate expiry notifications.
- * `SSH_KEY_NAME`: The SSH key name used for accessing AWS node instances via SSH. Ensure an SSH key pair is created/exists on AWS, and provide the key pair name in this field.Example: `my-ssh-key`
- * `AWS_PROVIDER_REGION`: The AWS region where resources will be created.Example: `ap-south-1`
- * `K8S_INSTANCE_TYPE`: The instance type for Kubernetes nodes.Default: `t3a.2xlarge`
- * `NGINX_INSTANCE_TYPE`: The instance type for the Nginx server.Default: `t3a.medium`
- * `ZONE_ID`: The Route 53 hosted zone ID associated with the domain.
- * `AMI`: The Amazon Machine Image (AMI) ID for the instances.Default: `ami-0ad21ae1d0696ad58`Note: `This is specific to Ubuntu 24.04.`
- * `K8S_INFRA_REPO_URL`: The URL of the Kubernetes infrastructure repository.Default: `https://github.com/mosip/k8s-infra.git`
- * `K8S_INFRA_BRANCH`: The branch of the Kubernetes infrastructure repository to be used.Default: `MOSIP-34911`
- * `NGINX_NODE_ROOT_VOLUME_SIZE`: The root volume size (in GB) for the Nginx node.Default: `24`
- * `NGINX_NODE_EBS_VOLUME_SIZE`: The EBS volume size (in GB) for the Nginx node.
- This volume will be used as a NFS server location for kubernetes storage class.Default: `300`
- * `K8S_INSTANCE_ROOT_VOLUME_SIZE`: The root volume size (in GB) for the Kubernetes nodes.Default: `64`
- * `K8S_CONTROL_PLANE_NODE_COUNT`: The number of control-plane nodes for the Kubernetes cluster. These nodes will serve as a control-plane, ETCD, and worker node within the Kubernetes cluster.Default: `4`
- * `K8S_ETCD_NODE_COUNT`: The number of ETCD nodes in the Kubernetes cluster. These nodes will serve as a ETCD and worker node within the Kubernetes cluster.Default: `2`
- * `K8S_WORKER_NODE_COUNT`: The number of worker nodes in the Kubernetes cluster. These nodes will serve as a worker node within the Kubernetes cluster.Default: `2`
- * `RANCHER_IMPORT_URL`: The Rancher import URL used to import the Kubernetes cluster into Rancher.
- Default: `"kubectl apply -f "`
+ * `CLUSTER_NAME`: The name of the Kubernetes cluster.Example: `sandbox`
+ * `CLUSTER_ENV_DOMAIN`: The domain name for MOSIP.Example: `sandbox.xyz.net`
+ * `MOSIP_EMAIL_ID`: The email address used by Certbot to send SSL certificate expiry notifications.
+ * `SSH_KEY_NAME`: The SSH key name used for accessing AWS node instances via SSH. Ensure an SSH key pair is created/exists on AWS, and provide the key pair name in this field.Example: `my-ssh-key`
+ * `AWS_PROVIDER_REGION`: The AWS region where resources will be created.Example: `ap-south-1`
+ * `K8S_INSTANCE_TYPE`: The instance type for Kubernetes nodes.Default: `t3a.2xlarge`
+ * `NGINX_INSTANCE_TYPE`: The instance type for the Nginx server.Default: `t3a.medium`
+ * `ZONE_ID`: The Route 53 hosted zone ID associated with the domain.
+ * `AMI`: The Amazon Machine Image (AMI) ID for the instances.Default: `ami-0ad21ae1d0696ad58`Note: `This is specific to Ubuntu 24.04.`
+ * `K8S_INFRA_REPO_URL`: The URL of the Kubernetes infrastructure repository.Default: `https://github.com/mosip/k8s-infra.git`
+ * `K8S_INFRA_BRANCH`: The branch of the Kubernetes infrastructure repository to be used.Default: `MOSIP-34911`
+ * `NGINX_NODE_ROOT_VOLUME_SIZE`: The root volume size (in GB) for the Nginx node.Default: `24`
+ * `NGINX_NODE_EBS_VOLUME_SIZE`: The EBS volume size (in GB) for the Nginx node.
+ This volume will be used as a NFS server location for kubernetes storage class.Default: `300`
+ * `K8S_INSTANCE_ROOT_VOLUME_SIZE`: The root volume size (in GB) for the Kubernetes nodes.Default: `64`
+ * `K8S_CONTROL_PLANE_NODE_COUNT`: The number of control-plane nodes for the Kubernetes cluster. These nodes will serve as a control-plane, ETCD, and worker node within the Kubernetes cluster.Default: `4`
+ * `K8S_ETCD_NODE_COUNT`: The number of ETCD nodes in the Kubernetes cluster. These nodes will serve as a ETCD and worker node within the Kubernetes cluster.Default: `2`
+ * `K8S_WORKER_NODE_COUNT`: The number of worker nodes in the Kubernetes cluster. These nodes will serve as a worker node within the Kubernetes cluster.Default: `2`
+ * `RANCHER_IMPORT_URL`: The Rancher import URL used to import the Kubernetes cluster into Rancher.
+ Default: `"kubectl apply -f "`
### Run `terraform plan / apply` workflow to set up MOSIP infrastructure
* This GitHub Action automates the Terraform workflow,
- allowing users to run `terraform plan` and optionally `terraform apply` commands within a CI/CD pipeline.
- The workflow is triggered manually via workflow_dispatch.
+ allowing users to run `terraform plan` and optionally `terraform apply` commands within a CI/CD pipeline.
+ The workflow is triggered manually via workflow_dispatch.
* To trigger this workflow:
- 1. Go to the `Actions` tab in your GitHub repository
- 2. Select `terraform plan / apply` workflow
- 3. Click `Run workflow`
- 4. Provide the required inputs
- 5. Click `Run workflow` to start the workflow
+ 1. Go to the `Actions` tab in your GitHub repository
+ 2. Select `terraform plan / apply` workflow
+ 3. Click `Run workflow`
+ 4. Provide the required inputs
+ 5. Click `Run workflow` to start the workflow
### Inputs
@@ -92,13 +92,13 @@ The infrastructure consists of four key components:
### Run `terraform destroy` workflow
* This GitHub Action automates the `Terraform destroy` command within a CI/CD pipeline.
- The workflow can be manually triggered to destroy infrastructure managed by Terraform.
+ The workflow can be manually triggered to destroy infrastructure managed by Terraform.
* To trigger this workflow:
- 1. Go to the `Actions` tab in your GitHub repository
- 2. Select `terraform destroy` workflow
- 3. Click `Run workflow`
- 4. Provide the required inputs
- 5. Click `Run workflow` to start the workflow
+ 1. Go to the `Actions` tab in your GitHub repository
+ 2. Select `terraform destroy` workflow
+ 3. Click `Run workflow`
+ 4. Provide the required inputs
+ 5. Click `Run workflow` to start the workflow
### Inputs
@@ -129,11 +129,11 @@ The setup includes:
* Terraform version: `v1.8.4`
* AWS Account
* AWS CLI configured with appropriate credentials
- ```
- $ export AWS_ACCESS_KEY_ID=
- $ export AWS_SECRET_ACCESS_KEY=
- $ export TF_VAR_SSH_PRIVATE_KEY=
- ```
+ ```
+ $ export AWS_ACCESS_KEY_ID=
+ $ export AWS_SECRET_ACCESS_KEY=
+ $ export TF_VAR_SSH_PRIVATE_KEY=
+ ```
## Files
@@ -147,36 +147,36 @@ The setup includes:
* Initialize Terraform.
- ```
- terraform init
- ```
+ ```
+ terraform init
+ ```
* Review and modify variable values:
- * Ensure `locals.tf` contains correct values for your setup.
- * Update values in `env.tfvars` as per your organization requirement.
+ * Ensure `locals.tf` contains correct values for your setup.
+ * Update values in `env.tfvars` as per your organization requirement.
* Terraform validate & plan the terraform scripts:
- ```
- terraform validate
- ```
+ ```
+ terraform validate
+ ```
- ```
- terraform plan -var-file="./aws.tfvars
- ```
+ ```
+ terraform plan -var-file="./aws.tfvars
+ ```
* Apply the Terraform configuration:
- ```
- terraform apply -var-file="./aws.tfvars
- ```
+ ```
+ terraform apply -var-file="./aws.tfvars
+ ```
## Destroy
To destroy AWS resources, follow the steps below:
* Ensure to have `terraform.tfstate` file.
- ```
- terraform destroy -var-file=./aws.tfvars
- ```
+ ```
+ terraform destroy -var-file=./aws.tfvars
+ ```
## COMPONENTS
@@ -185,41 +185,41 @@ To destroy AWS resources, follow the steps below:
This module is responsible for creating the AWS resources needed for the MOSIP platform, including security groups, an NGINX server, and a Kubernetes cluster nodes.
* Inputs:
- * `CLUSTER_NAME`: The name of the Kubernetes cluster.
- * `AWS_PROVIDER_REGION`: The AWS region for resource creation.
- * `SSH_KEY_NAME`: The name of the SSH key for accessing instances.
- * `K8S_INSTANCE_TYPE`: The instance type for Kubernetes nodes.
- * `NGINX_INSTANCE_TYPE`: The instance type for the NGINX server.
- * `CLUSTER_ENV_DOMAIN`: The domain name for the MOSIP platform.
- * `ZONE_ID`: The Route 53 hosted zone ID.
- * `AMI`: The Amazon Machine Image ID for the instances.
- * `SECURITY_GROUP`: Security group configurations.
+ * `CLUSTER_NAME`: The name of the Kubernetes cluster.
+ * `AWS_PROVIDER_REGION`: The AWS region for resource creation.
+ * `SSH_KEY_NAME`: The name of the SSH key for accessing instances.
+ * `K8S_INSTANCE_TYPE`: The instance type for Kubernetes nodes.
+ * `NGINX_INSTANCE_TYPE`: The instance type for the NGINX server.
+ * `CLUSTER_ENV_DOMAIN`: The domain name for the MOSIP platform.
+ * `ZONE_ID`: The Route 53 hosted zone ID.
+ * `AMI`: The Amazon Machine Image ID for the instances.
+ * `SECURITY_GROUP`: Security group configurations.
#### nginx-setup
This module sets up NGINX and configures it with the provided domain and SSL certificates.
* Inputs:
- * `NGINX_PUBLIC_IP`: The public IP address of the NGINX server.
- * `CLUSTER_ENV_DOMAIN`: The domain name for the MOSIP platform.
- * `MOSIP_K8S_CLUSTER_NODES_PRIVATE_IP_LIST`: List of private IP addresses of the Kubernetes nodes.
- * `MOSIP_PUBLIC_DOMAIN_LIST`: List of public domain names.
- * `CERTBOT_EMAIL`: The email ID for SSL certificate generation.
- * `SSH_KEY_NAME`: SSH private key used for login (i.e., file content of SSH pem key).
+ * `NGINX_PUBLIC_IP`: The public IP address of the NGINX server.
+ * `CLUSTER_ENV_DOMAIN`: The domain name for the MOSIP platform.
+ * `MOSIP_K8S_CLUSTER_NODES_PRIVATE_IP_LIST`: List of private IP addresses of the Kubernetes nodes.
+ * `MOSIP_PUBLIC_DOMAIN_LIST`: List of public domain names.
+ * `CERTBOT_EMAIL`: The email ID for SSL certificate generation.
+ * `SSH_KEY_NAME`: SSH private key used for login (i.e., file content of SSH pem key).
#### rke2-setup
This module sets up RKE2 kubernetes cluster.
* **Primary Control Plane Node Setup :**
- This resource sets up the primary control plane node.
- It connects to the node via SSH, uploads the rke2-setup.sh script, and executes it to configure the node.
+ This resource sets up the primary control plane node.
+ It connects to the node via SSH, uploads the rke2-setup.sh script, and executes it to configure the node.
* **Additional Nodes Setup :**
- This resource sets up additional nodes (control plane, ETCD, and worker nodes) in the cluster.
- It follows a similar process to the primary node setup.
+ This resource sets up additional nodes (control plane, ETCD, and worker nodes) in the cluster.
+ It follows a similar process to the primary node setup.
* **Rancher Import :**
- This resource imports the RKE2 cluster into Rancher.
- It connects to the primary control plane node, configures kubectl, and applies the Rancher import URL.
+ This resource imports the RKE2 cluster into Rancher.
+ It connects to the primary control plane node, configures kubectl, and applies the Rancher import URL.
#### nfs-setup
@@ -227,12 +227,12 @@ This Terraform module, nfs-setup, is designed to configure and deploy an NFS (Ne
The module depends on other infrastructure modules for AWS resource creation and RKE2 setup.
* Inputs:
- * `NFS_SERVER_LOCATION`: The location on the NFS server where the files will be stored. This is dynamically set based on the `CLUSTER_ENV_DOMAIN` variable.
- * `NFS_SERVER`: The private IP address of the NGINX server, which acts as the NFS server. This value is retrieved from the aws-resource-creation module.
- * `SSH_PRIVATE_KEY`: The SSH private key used for accessing the NFS server.
- * `K8S_INFRA_REPO_URL`: The URL of the Kubernetes infrastructure repository where the configuration files are stored.
- * `K8S_INFRA_BRANCH`: The branch of the Kubernetes infrastructure repository to be used.
- * `CLUSTER_NAME`: The name of the Kubernetes cluster that will use the NFS setup.
+ * `NFS_SERVER_LOCATION`: The location on the NFS server where the files will be stored. This is dynamically set based on the `CLUSTER_ENV_DOMAIN` variable.
+ * `NFS_SERVER`: The private IP address of the NGINX server, which acts as the NFS server. This value is retrieved from the aws-resource-creation module.
+ * `SSH_PRIVATE_KEY`: The SSH private key used for accessing the NFS server.
+ * `K8S_INFRA_REPO_URL`: The URL of the Kubernetes infrastructure repository where the configuration files are stored.
+ * `K8S_INFRA_BRANCH`: The branch of the Kubernetes infrastructure repository to be used.
+ * `CLUSTER_NAME`: The name of the Kubernetes cluster that will use the NFS setup.
## Outputs
diff --git a/terraform/modules/aws/aws-resource-creation/README.md b/terraform/modules/aws/aws-resource-creation/README.md
index cf9bfe95..c2a5e1ab 100644
--- a/terraform/modules/aws/aws-resource-creation/README.md
+++ b/terraform/modules/aws/aws-resource-creation/README.md
@@ -15,10 +15,10 @@ This Terraform script sets up an AWS infrastructure that includes:
* Terraform version: `v1.8.4`
* AWS Account
* AWS CLI configured with appropriate credentials
- ```
- $ export AWS_ACCESS_KEY_ID=
- $ export AWS_SECRET_ACCESS_KEY=
- ```
+ ```
+ $ export AWS_ACCESS_KEY_ID=
+ $ export AWS_SECRET_ACCESS_KEY=
+ ```
* Ensure SSH key created for accessing EC2 instances on AWS.
## Files
@@ -32,46 +32,46 @@ This Terraform script sets up an AWS infrastructure that includes:
* Initialize Terraform
- ```
- terraform init
- ```
+ ```
+ terraform init
+ ```
* Review and modify variable values:
- * Ensure `aws.tfvars` contains correct values for your setup.
- * Verify `variables.tf` for any additional configuration needs.
+ * Ensure `aws.tfvars` contains correct values for your setup.
+ * Verify `variables.tf` for any additional configuration needs.
* Terraform validate & plan the terraform scripts:
- ```
- terraform validate
- ```
+ ```
+ terraform validate
+ ```
- ```
- terraform plan -var-file="aws.tfvars"
- ```
+ ```
+ terraform plan -var-file="aws.tfvars"
+ ```
* Apply the Terraform configuration:
- ```
- terraform apply -var-file="aws.tfvars"
- ```
+ ```
+ terraform apply -var-file="aws.tfvars"
+ ```
## Destroy
To destroy AWS resources, follow the steps below:
* Ensure to have `terraform.tfstate` file.
- ```
- terraform destroy
- ```
+ ```
+ terraform destroy
+ ```
## Terraform Scripts
#### certbot-ssl-certgen.tf
* Defines resources for setting up IAM roles and policies for Certbot:
- * `aws_iam_role.certbot_role`: IAM role for Certbot with EC2 assume role policy.
- * `aws_iam_policy.certbot_policy`: IAM policy allowing Certbot to modify Route 53 records.
- * `aws_iam_role_policy_attachment.certbot_policy_attachment`: Attaches the policy to the role.
- * `aws_iam_instance_profile.certbot_profile`: Creates an instance profile for the IAM role.
+ * `aws_iam_role.certbot_role`: IAM role for Certbot with EC2 assume role policy.
+ * `aws_iam_policy.certbot_policy`: IAM policy allowing Certbot to modify Route 53 records.
+ * `aws_iam_role_policy_attachment.certbot_policy_attachment`: Attaches the policy to the role.
+ * `aws_iam_instance_profile.certbot_profile`: Creates an instance profile for the IAM role.
#### aws.tfvars
@@ -83,14 +83,14 @@ To destroy AWS resources, follow the steps below:
#### aws-main.tf
* Defines the main resources and provider configuration:
- * `Providers`: AWS provider configuration.
- * `Security Groups`: aws_security_group.security-group for NGINX and Kubernetes.
- * `EC2 Instances`:
- * **aws_instance.NGINX_EC2_INSTANCE** for NGINX.
- * **aws_instance.K8S_CLUSTER_EC2_INSTANCE** for Kubernetes.
- * `Route 53 Records`:
- * **aws_route53_record.MAP_DNS_TO_IP** for A records.
- * **aws_route53_record.MAP_DNS_TO_CNAME** for CNAME records.
+ * `Providers`: AWS provider configuration.
+ * `Security Groups`: aws_security_group.security-group for NGINX and Kubernetes.
+ * `EC2 Instances`:
+ * **aws_instance.NGINX_EC2_INSTANCE** for NGINX.
+ * **aws_instance.K8S_CLUSTER_EC2_INSTANCE** for Kubernetes.
+ * `Route 53 Records`:
+ * **aws_route53_record.MAP_DNS_TO_IP** for A records.
+ * **aws_route53_record.MAP_DNS_TO_CNAME** for CNAME records.
#### outputs.tf
diff --git a/terraform/modules/aws/nfs-setup/README.md b/terraform/modules/aws/nfs-setup/README.md
index 1aec9043..688fd3f0 100644
--- a/terraform/modules/aws/nfs-setup/README.md
+++ b/terraform/modules/aws/nfs-setup/README.md
@@ -10,10 +10,10 @@ The module configures the NFS server and deploys the necessary components to ena
* Terraform version: `v1.8.4`
* AWS Account
* AWS CLI configured with appropriate credentials
- ```
- $ export AWS_ACCESS_KEY_ID=
- $ export AWS_SECRET_ACCESS_KEY=
- ```
+ ```
+ $ export AWS_ACCESS_KEY_ID=
+ $ export AWS_SECRET_ACCESS_KEY=
+ ```
* Ensure SSH key created for accessing EC2 instances on AWS.
* Ensure you have access to the private SSH key that corresponds to the public key used when launching the EC2 instance.
* Domain and DNS: Ensure that you have a domain and that its DNS is managed by Route 53.
@@ -28,32 +28,32 @@ The module configures the NFS server and deploys the necessary components to ena
* Initialize Terraform
- ```
- terraform init
- ```
+ ```
+ terraform init
+ ```
* Terraform validate & plan the terraform scripts:
- ```
- terraform validate
- ```
+ ```
+ terraform validate
+ ```
- ```
- terraform plan
- ```
+ ```
+ terraform plan
+ ```
* Apply the Terraform configuration:
- ```
- terraform apply
- ```
+ ```
+ terraform apply
+ ```
## Destroy
To destroy AWS resources, follow the steps below:
* Ensure to have `terraform.tfstate` file.
- ```
- terraform destroy
- ```
+ ```
+ terraform destroy
+ ```
## Input Variables
@@ -69,11 +69,11 @@ To destroy AWS resources, follow the steps below:
#### nfs-setup-main.tf
* **null_resource.nfs-server-setup**:
- This resource uses SSH to connect to the NFS server and runs the install-nfs-server.sh script to configure the NFS server.
- The script logs its output to a file `/tmp/nfs-server-log` on the server.
+ This resource uses SSH to connect to the NFS server and runs the install-nfs-server.sh script to configure the NFS server.
+ The script logs its output to a file `/tmp/nfs-server-log` on the server.
* **null_resource.nfs-csi-setup**:
- This resource runs the nfs-csi.sh script locally after the NFS server has been set up.
- The script configures the NFS CSI driver and logs its output locally `./tmp/nfs-csi-log`.
+ This resource runs the nfs-csi.sh script locally after the NFS server has been set up.
+ The script configures the NFS CSI driver and logs its output locally `./tmp/nfs-csi-log`.
#### nfs-csi.sh
diff --git a/terraform/modules/aws/nginx-setup/README.md b/terraform/modules/aws/nginx-setup/README.md
index 07f7f3d6..29c47570 100644
--- a/terraform/modules/aws/nginx-setup/README.md
+++ b/terraform/modules/aws/nginx-setup/README.md
@@ -10,10 +10,10 @@ It fetches SSL certificates using Certbot and integrates with Kubernetes infrast
* Terraform version: `v1.8.4`
* AWS Account
* AWS CLI configured with appropriate credentials
- ```
- $ export AWS_ACCESS_KEY_ID=
- $ export AWS_SECRET_ACCESS_KEY=
- ```
+ ```
+ $ export AWS_ACCESS_KEY_ID=
+ $ export AWS_SECRET_ACCESS_KEY=
+ ```
* Ensure SSH key created for accessing EC2 instances on AWS.
* Ensure you have access to the private SSH key that corresponds to the public key used when launching the EC2 instance.
* Domain and DNS: Ensure that you have a domain and that its DNS is managed by Route 53.
@@ -28,32 +28,32 @@ It fetches SSL certificates using Certbot and integrates with Kubernetes infrast
* Initialize Terraform
- ```
- terraform init
- ```
+ ```
+ terraform init
+ ```
* Terraform validate & plan the terraform scripts:
- ```
- terraform validate
- ```
+ ```
+ terraform validate
+ ```
- ```
- terraform plan -var-file="aws.tfvars"
- ```
+ ```
+ terraform plan -var-file="aws.tfvars"
+ ```
* Apply the Terraform configuration:
- ```
- terraform apply -var-file="aws.tfvars"
- ```
+ ```
+ terraform apply -var-file="aws.tfvars"
+ ```
## Destroy
To destroy AWS resources, follow the steps below:
* Ensure to have `terraform.tfstate` file.
- ```
- terraform destroy
- ```
+ ```
+ terraform destroy
+ ```
## Input Variables
@@ -72,12 +72,12 @@ The script `main.tf` defines a local variable NGINX_CONFIG containing various co
#### main.tf
* **null_resource "Nginx-setup"**: This resource performs the following actions:
- * `Triggers`: Sets up triggers based on the hash of the Kubernetes cluster nodes' private IP list and the public domain list.
- * `Connection`: Defines the SSH connection parameters for the EC2 instance.
- * `File Provisioner`: Uploads the nginx-setup.sh script to the EC2 instance.
- * `Remote Exec Provisioner`: Executes the necessary commands to:
- * Set environment variables.
- * Run the nginx-setup.sh script.
+ * `Triggers`: Sets up triggers based on the hash of the Kubernetes cluster nodes' private IP list and the public domain list.
+ * `Connection`: Defines the SSH connection parameters for the EC2 instance.
+ * `File Provisioner`: Uploads the nginx-setup.sh script to the EC2 instance.
+ * `Remote Exec Provisioner`: Executes the necessary commands to:
+ * Set environment variables.
+ * Run the nginx-setup.sh script.
#### nginx-setup.sh:
diff --git a/terraform/modules/aws/rancher-keycloak-setup/FINAL_CLEAN_RANCHER_KEYCLOAK_IMPLEMENTATION.md b/terraform/modules/aws/rancher-keycloak-setup/FINAL_CLEAN_RANCHER_KEYCLOAK_IMPLEMENTATION.md
index 759c6ab6..5d5c4cf7 100644
--- a/terraform/modules/aws/rancher-keycloak-setup/FINAL_CLEAN_RANCHER_KEYCLOAK_IMPLEMENTATION.md
+++ b/terraform/modules/aws/rancher-keycloak-setup/FINAL_CLEAN_RANCHER_KEYCLOAK_IMPLEMENTATION.md
@@ -25,48 +25,48 @@ Successfully implemented automated Rancher UI and Keycloak installation **ONLY f
```
terraform/
-├── modules/aws/ # CLEAN - No Rancher/Keycloak
-│ ├── aws-main.tf # ✅ Clean, ends at nfs-setup
-│ ├── variables.tf # ✅ No Rancher/Keycloak vars
-│ ├── outputs.tf # ✅ No Rancher/Keycloak outputs
-│ └── rancher-keycloak-setup/ # ✅ Isolated module
-│ ├── main.tf # Rancher/Keycloak logic
-│ ├── variables.tf # Setup variables
-│ └── outputs.tf # Setup outputs
-├── observ-infra/ # ONLY PLACE WITH INTEGRATION
-│ ├── variables.tf # ✅ Has Rancher/Keycloak vars
-│ ├── outputs.tf # ✅ Has Rancher/Keycloak outputs
-│ └── aws/
-│ ├── main.tf # ✅ Calls rancher-keycloak-setup
-│ ├── variables.tf # ✅ Has Rancher/Keycloak vars
-│ └── outputs.tf # ✅ Has Rancher/Keycloak outputs
-├── infra/ # ✅ CLEAN - No Rancher/Keycloak
-│ ├── main.tf # Only calls main AWS module
-│ ├── variables.tf # No Rancher/Keycloak vars
-│ └── outputs.tf # No Rancher/Keycloak outputs
+├── modules/aws/ # CLEAN - No Rancher/Keycloak
+│ ├── aws-main.tf # ✅ Clean, ends at nfs-setup
+│ ├── variables.tf # ✅ No Rancher/Keycloak vars
+│ ├── outputs.tf # ✅ No Rancher/Keycloak outputs
+│ └── rancher-keycloak-setup/ # ✅ Isolated module
+│ ├── main.tf # Rancher/Keycloak logic
+│ ├── variables.tf # Setup variables
+│ └── outputs.tf # Setup outputs
+├── observ-infra/ # ONLY PLACE WITH INTEGRATION
+│ ├── variables.tf # ✅ Has Rancher/Keycloak vars
+│ ├── outputs.tf # ✅ Has Rancher/Keycloak outputs
+│ └── aws/
+│ ├── main.tf # ✅ Calls rancher-keycloak-setup
+│ ├── variables.tf # ✅ Has Rancher/Keycloak vars
+│ └── outputs.tf # ✅ Has Rancher/Keycloak outputs
+├── infra/ # ✅ CLEAN - No Rancher/Keycloak
+│ ├── main.tf # Only calls main AWS module
+│ ├── variables.tf # No Rancher/Keycloak vars
+│ └── outputs.tf # No Rancher/Keycloak outputs
└── implementations/
- ├── aws/infra/ # ✅ CLEAN - No Rancher/Keycloak
- └── aws/observ-infra/ # ✅ ONLY PLACE WITH INTEGRATION
- ├── aws.tfvars # Has Rancher/Keycloak config
- ├── variables.tf # Has Rancher/Keycloak vars
- └── outputs.tf # Has Rancher/Keycloak outputs
+ ├── aws/infra/ # ✅ CLEAN - No Rancher/Keycloak
+ └── aws/observ-infra/ # ✅ ONLY PLACE WITH INTEGRATION
+ ├── aws.tfvars # Has Rancher/Keycloak config
+ ├── variables.tf # Has Rancher/Keycloak vars
+ └── outputs.tf # Has Rancher/Keycloak outputs
```
## Execution Flow (observ-infra only)
```
1. AWS Infrastructure (via main AWS module)
- ├── VPC/Subnet discovery
- ├── EC2 instances creation
- ├── NGINX setup
- ├── RKE2 cluster setup
- └── NFS setup
-
+ ├── VPC/Subnet discovery
+ ├── EC2 instances creation
+ ├── NGINX setup
+ ├── RKE2 cluster setup
+ └── NFS setup
+
2. Rancher-Keycloak Setup (observ-infra specific)
- ├── Install cert-manager
- ├── Install Rancher UI via Helm
- ├── Clone k8s-infra repository
- └── Install Keycloak via script
+ ├── Install cert-manager
+ ├── Install Rancher UI via Helm
+ ├── Clone k8s-infra repository
+ └── Install Keycloak via script
```
## Configuration (observ-infra only)
@@ -74,20 +74,20 @@ terraform/
### Enable/Disable Integration
```hcl
# In aws.tfvars (observ-infra)
-enable_rancher_keycloak_integration = true # Enable for observ-infra
-rancher_hostname = "" # Defaults to rancher.testvpc.mosip.net
-keycloak_hostname = "" # Defaults to iam.testvpc.mosip.net
+enable_rancher_keycloak_integration = true # Enable for observ-infra
+rancher_hostname = "" # Defaults to rancher.testvpc.mosip.net
+keycloak_hostname = "" # Defaults to iam.testvpc.mosip.net
rancher_bootstrap_password = "admin"
```
### Disable Integration
```hcl
-enable_rancher_keycloak_integration = false # No Rancher/Keycloak installation
+enable_rancher_keycloak_integration = false # No Rancher/Keycloak installation
```
## What Each Deployment Does
-### 🏗️ **Main Infra Deployment** (`terraform/implementations/aws/infra/`)
+### **Main Infra Deployment** (`terraform/implementations/aws/infra/`)
```bash
terraform apply -var-file="aws.tfvars"
```
@@ -108,7 +108,7 @@ terraform apply -var-file="aws.tfvars"
- **+ Keycloak** at https://iam.testvpc.mosip.net
- Ready for observability tools integration
-### 🔧 **Base-Infra Deployment** (`terraform/implementations/aws/base-infra/`)
+### **Base-Infra Deployment** (`terraform/implementations/aws/base-infra/`)
```bash
terraform apply -var-file="aws.tfvars"
```
@@ -154,7 +154,7 @@ terraform apply -var-file="aws.tfvars"
### 2. **Verify Main Infra Remains Clean**
```bash
cd terraform/implementations/aws/infra
-terraform plan -var-file="aws.tfvars" # Should show NO Rancher/Keycloak
+terraform plan -var-file="aws.tfvars" # Should show NO Rancher/Keycloak
```
### 3. **Access Applications (observ-infra only)**
@@ -169,4 +169,4 @@ terraform plan -var-file="aws.tfvars" # Should show NO Rancher/Keycloak
- Professional, isolated, maintainable implementation
- Ready for production deployment
-The implementation now perfectly meets the requirement: **Rancher-Keycloak integration only for observ-infra, not for infra or base-infra.** 🎯
+The implementation now perfectly meets the requirement: **Rancher-Keycloak integration only for observ-infra, not for infra or base-infra.**
diff --git a/terraform/modules/aws/rke2-cluster/README.md b/terraform/modules/aws/rke2-cluster/README.md
index e0601d91..cd526377 100644
--- a/terraform/modules/aws/rke2-cluster/README.md
+++ b/terraform/modules/aws/rke2-cluster/README.md
@@ -9,10 +9,10 @@ The RKE2 configuration is managed through a GitHub repository.
* Terraform version: `v1.8.4`
* AWS Account
* AWS CLI configured with appropriate credentials
- ```
- $ export AWS_ACCESS_KEY_ID=
- $ export AWS_SECRET_ACCESS_KEY=
- ```
+ ```
+ $ export AWS_ACCESS_KEY_ID=
+ $ export AWS_SECRET_ACCESS_KEY=
+ ```
* Ensure SSH key created for accessing EC2 instances on AWS.
* Ensure you have access to the private SSH key that corresponds to the public key used when launching the EC2 instance.
* Git is installed on the EC2 instance.
@@ -23,27 +23,27 @@ The RKE2 configuration is managed through a GitHub repository.
## Setup
* Initialize Terraform
- ```
- terraform init
- ```
+ ```
+ terraform init
+ ```
* Terraform validate & plan the terraform scripts:
- ```
- terraform validate
- ```
- ```
- terraform plan -var-file="aws.tfvars"
- ```
+ ```
+ terraform validate
+ ```
+ ```
+ terraform plan -var-file="aws.tfvars"
+ ```
* Apply the Terraform configuration:
- ```
- terraform apply -var-file="aws.tfvars"
- ```
+ ```
+ terraform apply -var-file="aws.tfvars"
+ ```
## Destroy
To destroy AWS resources, follow the steps below:
* Ensure to have `terraform.tfstate` file.
- ```
- terraform destroy
- ```
+ ```
+ terraform destroy
+ ```
## Input Variables
* `K8S_CLUSTER_PUBLIC_IPS`: Map of public IP addresses for the Kubernetes cluster nodes.
diff --git a/terraform/modules/aws/rke2-cluster/ansible/README.md b/terraform/modules/aws/rke2-cluster/ansible/README.md
index f39d5118..94ac2fe2 100644
--- a/terraform/modules/aws/rke2-cluster/ansible/README.md
+++ b/terraform/modules/aws/rke2-cluster/ansible/README.md
@@ -13,8 +13,8 @@ This module has been converted from using Terraform's unreliable `remote-exec` p
- ✅ **Internet connectivity**
**Auto-Installed:**
-- 📦 **Ansible** - automatically installed during `terraform apply`
-- 📦 **pip3** - installed with Ansible if needed
+- **Ansible** - automatically installed during `terraform apply`
+- **pip3** - installed with Ansible if needed
### **Supported Operating Systems for Terraform Runner:**
- ✅ **Ubuntu/Debian** (apt-get)
@@ -24,7 +24,7 @@ This module has been converted from using Terraform's unreliable `remote-exec` p
- ✅ **macOS** (brew)
- ✅ **Any Linux with pip3**
-## 🚀 Quick Start
+## Quick Start
### **1. Pre-flight Check (Optional but Recommended)**
```bash
@@ -36,23 +36,23 @@ cd terraform/implementations/aws/infra
```bash
terraform init
terraform plan
-terraform apply # Ansible will be auto-installed if needed
+terraform apply # Ansible will be auto-installed if needed
```
That's it! No manual Ansible installation required.
-## 🔄 How Ansible Installation Works
+## How Ansible Installation Works
### **Automatic Installation Flow:**
```mermaid
graph TD
- A[terraform apply] --> B[local-exec: run-ansible.sh]
- B --> C{Ansible installed?}
- C -->|No| D[Auto-install Ansible]
- C -->|Yes| E[Use existing Ansible]
- D --> F[Run Ansible Playbook]
- E --> F
- F --> G[RKE2 Cluster Ready]
+ A[terraform apply] --> B[local-exec: run-ansible.sh]
+ B --> C{Ansible installed?}
+ C -->|No| D[Auto-install Ansible]
+ C -->|Yes| E[Use existing Ansible]
+ D --> F[Run Ansible Playbook]
+ E --> F
+ F --> G[RKE2 Cluster Ready]
```
### **Installation Methods by OS:**
@@ -78,7 +78,7 @@ graph TD
- ✅ Kubernetes cluster formation
- ✅ kubectl configuration
-## 🛠️ Manual Ansible Installation (if preferred)
+## Manual Ansible Installation (if preferred)
If you prefer to install Ansible manually before running terraform:
@@ -131,14 +131,14 @@ export PATH="$HOME/.local/bin:$PATH"
```
ansible/
-├── inventory.yml.tpl # Terraform template for Ansible inventory
-├── rke2-playbook.yml # Main Ansible playbook for RKE2 installation
-├── run-ansible.sh # Script to execute Ansible with proper settings
-├── test-cluster.sh # Test script to verify cluster health
-├── inventory.yml # Generated inventory file (created by Terraform)
-├── ssh_key # SSH private key file (created by Terraform)
+├── inventory.yml.tpl # Terraform template for Ansible inventory
+├── rke2-playbook.yml # Main Ansible playbook for RKE2 installation
+├── run-ansible.sh # Script to execute Ansible with proper settings
+├── test-cluster.sh # Test script to verify cluster health
+├── inventory.yml # Generated inventory file (created by Terraform)
+├── ssh_key # SSH private key file (created by Terraform)
├── primary-kubeconfig.yaml # Downloaded kubeconfig (created by Ansible)
-└── kubeconfigs/ # Directory with all node kubeconfigs
+└── kubeconfigs/ # Directory with all node kubeconfigs
```
## Usage
@@ -179,7 +179,7 @@ ansible all -i inventory.yml -u ubuntu --private-key=ssh_key -m ping
# Check service status
ansible rke2_cluster -i inventory.yml -u ubuntu --private-key=ssh_key \
- -m shell -a "sudo systemctl status rke2-server || sudo systemctl status rke2-agent"
+ -m shell -a "sudo systemctl status rke2-server || sudo systemctl status rke2-agent"
# Re-run the playbook
ansible-playbook -i inventory.yml -u ubuntu --private-key=ssh_key rke2-playbook.yml
@@ -227,7 +227,7 @@ The following variables are automatically passed from Terraform to Ansible:
Node roles are automatically detected based on hostname patterns:
- `*CONTROL-PLANE-NODE*`: Control plane nodes
-- `*ETCD-NODE*`: ETCD nodes
+- `*ETCD-NODE*`: ETCD nodes
- `*WORKER-NODE*`: Worker nodes
## Next Steps
diff --git a/terraform/modules/azure/README.md b/terraform/modules/azure/README.md
index 42130e72..31070f12 100644
--- a/terraform/modules/azure/README.md
+++ b/terraform/modules/azure/README.md
@@ -6,8 +6,8 @@ This module facilitates the deployment of MOSIP (Modular Open Source Identity Pl
- Resource Creation: Establishes foundational Azure resources necessary for MOSIP operations.
- NGINX Setup: Configures NGINX as a reverse proxy or load balancer to manage and distribute incoming traffic efficiently.
-- RKE2 (Rancher Kubernetes Engine 2) Cluster Setup: Deploys a Kubernetes cluster using RKE2, ensuring scalable and reliable orchestration of containerized applications.
-- NFS (Network File System) Server Setup: Implements an NFS server to provide shared storage solutions across the infrastructure.
+- RKE2 (Rancher Kubernetes Engine 2) Cluster Setup: Deploys a Kubernetes cluster using RKE2, ensuring scalable and reliable orchestration of containerized applications.
+- NFS (Network File System) Server Setup: Implements an NFS server to provide shared storage solutions across the infrastructure.
## Community Contributions
diff --git a/terraform/modules/gcp/README.md b/terraform/modules/gcp/README.md
index 6b889f3b..203da843 100644
--- a/terraform/modules/gcp/README.md
+++ b/terraform/modules/gcp/README.md
@@ -6,8 +6,8 @@ This module facilitates the deployment of MOSIP (Modular Open Source Identity Pl
- Resource Creation: Establishes foundational Azure resources necessary for MOSIP operations.
- NGINX Setup: Configures NGINX as a reverse proxy or load balancer to manage and distribute incoming traffic efficiently.
-- RKE2 (Rancher Kubernetes Engine 2) Cluster Setup: Deploys a Kubernetes cluster using RKE2, ensuring scalable and reliable orchestration of containerized applications.
-- NFS (Network File System) Server Setup: Implements an NFS server to provide shared storage solutions across the infrastructure.
+- RKE2 (Rancher Kubernetes Engine 2) Cluster Setup: Deploys a Kubernetes cluster using RKE2, ensuring scalable and reliable orchestration of containerized applications.
+- NFS (Network File System) Server Setup: Implements an NFS server to provide shared storage solutions across the infrastructure.
## Community Contributions
+