Feature/infrastructure docs autogen

[TaichKarna]

Proposed change

Resolves #4485

Terraform docs support for auto doc generation for infrastructure.

This PR:

• adds .terraform-docs.yml configuration in the infrastructure/ folder
• wires terraform_docs hook into pre-commit to automatically regenerate module READMEs on commit
• disables MD060 and MD034 in .markdownlint.yaml to resolve conflicts with terraform-docs generated table and URL formatting
• adds docs-infrastructure target in the Makefile to generate docs for all modules and nested submodules
• installs terraform-docs in the CI pre-commit job pinned to match local version to prevent output drift
• preserves handwritten README content using <!-- BEGIN_TF_DOCS --> / <!-- END_TF_DOCS --> injection markers across all modules

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9ae64c1d-2a03-421c-b0c6-61798c184b5f

📥 Commits

Reviewing files that changed from the base of the PR and between 125bcc6 and 7a70f6f.

📒 Files selected for processing (3)

• .github/workflows/run-ci-cd.yaml
• infrastructure/Makefile
• infrastructure/README.md

✅ Files skipped from review due to trivial changes (3)

• infrastructure/README.md
• infrastructure/Makefile
• .github/workflows/run-ci-cd.yaml

---

Summary by CodeRabbit

• Documentation

  • Added auto-generated Terraform documentation for all infrastructure modules, consistently documenting requirements, providers, resources, inputs, and outputs.

• Chores

  • Enhanced CI/CD pipeline to automatically generate and validate infrastructure module documentation using terraform-docs.
  • Added local make docs-infrastructure command to generate infrastructure documentation on demand.

Walkthrough

Adds terraform-docs integration: CI installs terraform-docs, pre-commit runs a terraform-docs hook, a centralized config and Makefile target were added, and generated TF documentation blocks were injected into infrastructure module README files.

Changes

Cohort / File(s)	Summary
CI / Workflow .github/workflows/run-ci-cd.yaml	Install terraform-docs v0.22.0 (linux-amd64) with SHA-256 verification in the pre-commit job before running pre-commit.
Pre-commit & Linting .pre-commit-config.yaml, .markdownlint.yaml	Added pre-commit-terraform terraform_docs hook for ^infrastructure/.*\.tf$; updated markdownlint hook to pass explicit config; disabled MD034 and MD060 in .markdownlint.yaml.
Terraform-docs config infrastructure/.terraform-docs.yaml	Added centralized terraform-docs configuration (markdown table output, injection markers, sorting, and other render options).
Local tooling & docs instructions infrastructure/Makefile, infrastructure/README.md	Added TERRAFORM_DOCS_VERSION := v0.22.0 and docs-infrastructure Make target; documented local usage and version requirement in README.
Generated Terraform module README files infrastructure/bootstrap/README.md, infrastructure/live/README.md, infrastructure/state/README.md, infrastructure/.../README.md	Injected <!-- BEGIN_TF_DOCS --> ... <!-- END_TF_DOCS --> blocks across top-level projects and module tree (infrastructure/modules/* and nested modules) containing requirements, providers, resources, inputs, and outputs (auto-generated TF docs).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Migrate OWASP Nest to Zappa for serverless deployment #2431: Modifies CI and pre-commit Terraform tooling; highly related to terraform-docs/pre-commit changes.
• Improve networking Module #2770: Adds terraform-docs CI/Make targets and generated README files for various infrastructure modules; overlaps generated docs and Makefile.
• Add CI/CD for staging deployment #3466: CI workflow changes touching .github/workflows/run-ci-cd.yaml that may intersect with the added install step.

Suggested reviewers

• arkid15r
• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Feature/infrastructure docs autogen' clearly relates to the main change of adding terraform-docs for infrastructure documentation generation.
Description check	✅ Passed	The description provides a detailed explanation of proposed changes that directly relate to the terraform-docs documentation generation feature and lists specific implementation steps.
Linked Issues check	✅ Passed	The PR meets all acceptance criteria from issue #4485: generates docs for all three Terraform projects with modules/sub-modules, adds centralized .terraform-docs.yaml configuration, enables local execution and pre-commit integration, and preserves handwritten content using injection markers.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing terraform-docs for infrastructure documentation: configuration files, pre-commit hooks, CI pipeline updates, Makefile targets, and README documentation blocks are all directly aligned with the stated objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

infrastructure/.terraform-docs.yaml (1)

1-37: Config looks good; one minor nit.

The recursive.enabled: false setting is correct here because the Makefile iterates modules explicitly via find. A tiny readability nit: a blank line between the output: block and output-values: (after line 15) would match the spacing used elsewhere in the file.

Also note: for this config to actually take effect in pre-commit/CI, the terraform_docs hook must pass --config=…/infrastructure/.terraform-docs.yaml — see the separate comment on .pre-commit-config.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@infrastructure/.terraform-docs.yaml` around lines 1 - 37, Add a blank line
between the existing output: block and the output-values: block to match the
file's spacing conventions; locate the output: and output-values: keys in
.terraform-docs.yaml (and note recursive.enabled remains false) and insert a
single empty line after the output: block to improve readability.

infrastructure/README.md (1)

393-399: Minor: cd infrastructure is repo-root-relative, but earlier sections cd into subdirectories.

A reader who followed the staging steps may already be inside infrastructure/live/ and will hit "No such file" on cd infrastructure. Consider clarifying: "From the repo root, run make -C infrastructure docs-infrastructure" — this also avoids requiring a directory change at all.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@infrastructure/README.md` around lines 393 - 399, Update the Documentation
section to clarify the command is repo-root-relative and avoid changing
directories: replace the existing "cd infrastructure && make
docs-infrastructure" guidance with a note like "From the repo root, run `make -C
infrastructure docs-infrastructure`" (or explicitly state "If you are already
inside infrastructure/live/, run `cd ../.. && make -C infrastructure
docs-infrastructure`") so the make target `docs-infrastructure` is invoked
without failing when the user is in a subdirectory.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run-ci-cd.yaml:
- Around line 67-77: Update the CI install step to clean up temporary files and
ensure version consistency: after the download/extract/install sequence that
uses TERRAFORM_DOCS_VERSION, add removal of the TARBALL and extracted
terraform-docs (rm -f "${TARBALL}" terraform-docs) to avoid leftover artifacts;
separately, document the pinned TERRAFORM_DOCS_VERSION in
infrastructure/README.md and add a version-check in the Makefile target that
runs terraform-docs (e.g., a check comparing terraform-docs --version against
TERRAFORM_DOCS_VERSION) so local devs and CI are validated against the same
pinned version.

In `@infrastructure/Makefile`:
- Around line 16-28: The docs-infrastructure Makefile target uses an unscoped
`find .` and an unchecked, whitespace-unsafe loop; change the `find` invocation
in the docs-infrastructure recipe to search only the infrastructure roots (e.g.
`infrastructure/modules` or explicitly `infrastructure/live
infrastructure/bootstrap infrastructure/state infrastructure/modules`) and
switch to NUL-separated handling (`-print0` on find and `while read -r -d ''
dir; do ... done`) ensuring you quote "$dir" when passing it to
`terraform-docs`, and after the `terraform-docs markdown "$dir" --config
$(CURDIR)/.terraform-docs.yaml --output-file README.md --output-mode inject`
call append `|| exit 1` so the loop (and make) fails immediately on any
terraform-docs error.

In `@infrastructure/modules/storage/README.md`:
- Around line 6-8: Update the provider version constraints from pessimistic ("~>
1.14.0", "~> 6.36.0", "~> 3.8.0") to exact pins ("1.14.0", "6.36.0", "3.8.0")
wherever the provider requirements are declared (look for the
requirement_terraform, requirement_aws, and requirement_random blocks in the
module's provider requirement declarations, including main.tf and any submodule
requirement blocks), then regenerate the module README so the table entries for
those anchors reflect the exact versions.

---

Nitpick comments:
In `@infrastructure/.terraform-docs.yaml`:
- Around line 1-37: Add a blank line between the existing output: block and the
output-values: block to match the file's spacing conventions; locate the output:
and output-values: keys in .terraform-docs.yaml (and note recursive.enabled
remains false) and insert a single empty line after the output: block to improve
readability.

In `@infrastructure/README.md`:
- Around line 393-399: Update the Documentation section to clarify the command
is repo-root-relative and avoid changing directories: replace the existing "cd
infrastructure && make docs-infrastructure" guidance with a note like "From the
repo root, run `make -C infrastructure docs-infrastructure`" (or explicitly
state "If you are already inside infrastructure/live/, run `cd ../.. && make -C
infrastructure docs-infrastructure`") so the make target `docs-infrastructure`
is invoked without failing when the user is in a subdirectory.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 055e8c78-1bd2-4eef-8195-f1dc260c1bea

📥 Commits

Reviewing files that changed from the base of the PR and between 02e7084 and 125bcc6.

📒 Files selected for processing (24)

• .github/workflows/run-ci-cd.yaml
• .markdownlint.yaml
• .pre-commit-config.yaml
• infrastructure/.terraform-docs.yaml
• infrastructure/Makefile
• infrastructure/README.md
• infrastructure/bootstrap/README.md
• infrastructure/live/README.md
• infrastructure/modules/alb/README.md
• infrastructure/modules/cache/README.md
• infrastructure/modules/database/README.md
• infrastructure/modules/kms/README.md
• infrastructure/modules/networking/README.md
• infrastructure/modules/networking/modules/nacl/README.md
• infrastructure/modules/networking/modules/vpc-endpoint/README.md
• infrastructure/modules/parameters/README.md
• infrastructure/modules/security/README.md
• infrastructure/modules/service/README.md
• infrastructure/modules/storage/README.md
• infrastructure/modules/storage/modules/s3-bucket/README.md
• infrastructure/modules/storage/modules/shared-data-bucket/README.md
• infrastructure/modules/tasks/README.md
• infrastructure/modules/tasks/modules/task/README.md
• infrastructure/state/README.md

[cubic-dev-ai]

2 issues found across 24 files

Confidence score: 4/5

• This PR looks safe to merge with minimal risk: both findings are medium-severity (5/10) and focused on documentation automation rather than core runtime behavior.
• In infrastructure/Makefile, failures from terraform-docs inside the loop are not propagated, which can report success after partial doc generation and mask CI/doc drift.
• infrastructure/Makefile also uses find ., so invoking the Makefile from outside infrastructure/ can scan unintended paths and produce inconsistent docs behavior.
• Pay close attention to infrastructure/Makefile - ensure loop errors fail the target and scope find to the intended infrastructure directory.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="infrastructure/Makefile">

<violation number="1" location="infrastructure/Makefile:17">
P2: `find .` scopes the search relative to the working directory. If the Makefile is invoked from outside `infrastructure/` (e.g., `make -f infrastructure/Makefile docs-infrastructure`), `find .` will walk the entire repo and attempt to run `terraform-docs` on unrelated `main.tf` files. Scope the search to the known module roots (`bootstrap`, `live`, `state`, `modules`) as done by the sibling `test-infrastructure` target.</violation>

<violation number="2" location="infrastructure/Makefile:24">
P2: `terraform-docs` failures inside the loop are not propagated, so the Make target can succeed after only partial doc generation.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

2 issues found across 3 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="infrastructure/README.md">

<violation number="1" location="infrastructure/README.md:403">
P2: The Homebrew install command uses an invalid/nonexistent formula name, so the documented macOS setup path is broken.</violation>
</file>

<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:77">
P2: Unchained cleanup command can mask terraform-docs download/verify/install failures and let the step succeed spuriously.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 2 unresolved issues from previous reviews.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.93%. Comparing base (02e7084) to head (7a70f6f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4562   +/-   ##
=======================================
  Coverage   98.93%   98.93%           
=======================================
  Files         527      527           
  Lines       16954    16954           
  Branches     2410     2358   -52     
=======================================
  Hits        16774    16774           
  Misses         97       97           
  Partials       83       83           

Flag	Coverage Δ
backend	99.50% <ø> (ø)
frontend	97.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 02e7084...7a70f6f. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rudransh-shrivastava]

Hi @TaichKarna , thank you for working on this!

I have a question for you -- have you tried the official hooks instead of antonbabenko/pre-commit-terraform's hooks for terraform-docs?

I'm referring to terraform-docs/terraform-docs and the docker-based hook .

---

If so, what was your experience? Does it also require an additional step in CI to add the terraform-docs binary in $PATH?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[TaichKarna]

Hi @TaichKarna , thank you for working on this!

I have a question for you -- have you tried the official hooks instead of antonbabenko/pre-commit-terraform's hooks for terraform-docs?

I'm referring to terraform-docs/terraform-docs and the docker-based hook .

If so, what was your experience? Does it also require an additional step in CI to add the terraform-docs binary in $PATH?

Both approaches requires a script to find directories changed and running command against each of them something the current hook does behind the scenes but wont require extra setup steps. @rudransh-shrivastava

[rudransh-shrivastava]

Both approaches requires a script to find directories changed and running command against each of them something the current hook does behind the scenes but wont require extra setup steps. @rudransh-shrivastava

I see, can you please update the code to use them when you get a chance?

I want to avoid having to download a specific tarball in CI as it's hard to maintain. I don't know if Dependabot can update the version (TERRAFORM_DOCS_VERSION: v0.22.0) while updating the hook.

If terraform-docs requires Go in $PATH, I think its a valid trade-off over the current approach.

Thank you @TaichKarna

[TaichKarna]

Both approaches requires a script to find directories changed and running command against each of them something the current hook does behind the scenes but wont require extra setup steps. @rudransh-shrivastava

I see, can you please update the code to use them when you get a chance?

I want to avoid having to download a specific tarball in CI as it's hard to maintain. I don't know if Dependabot can update the version (TERRAFORM_DOCS_VERSION: v0.22.0) while updating the hook.

If terraform-docs requires Go in $PATH, I think its a valid trade-off over the current approach.

Thank you @TaichKarna

I tried the script approach but moving to using a script as hook means the download has to move somewhere else ( inside script, ci / cd or one more hook script for dowloading ). I found using go install in Ci/CD simpler and Ubuntu latest using in our job runner comes with Go preinstalled. I implemented and tested in a different branch, you can look at the approach here.

https://github.com/TaichKarna/Nest/tree/terra-go @rudransh-shrivastava

[rudransh-shrivastava]

I tried the script approach but moving to using a script as hook means the download has to move somewhere else ( inside script, ci / cd or one more hook script for dowloading ). I found using go install in Ci/CD simpler and Ubuntu latest using in our job runner comes with Go preinstalled. I implemented and tested in a different branch, you can look at the approach here.

https://github.com/TaichKarna/Nest/tree/terra-go @rudransh-shrivastava

Please check this action run when you get a chance. It seems we don't need to download things manually -- the pre-commit hook manages that on it's own. There is no need to update the CI pipeline.

The code for this is here.

Why do we need a script?
@TaichKarna

edit: the CI fail is intentional, it's just a PoC for pre-commit run.

[TaichKarna]

I tried the script approach but moving to using a script as hook means the download has to move somewhere else ( inside script, ci / cd or one more hook script for dowloading ). I found using go install in Ci/CD simpler and Ubuntu latest using in our job runner comes with Go preinstalled. I implemented and tested in a different branch, you can look at the approach here.
https://github.com/TaichKarna/Nest/tree/terra-go @rudransh-shrivastava

Please check this action run when you get a chance. It seems we don't need to download things manually -- the pre-commit hook manages that on it's own. There is no need to update the CI pipeline.

The code for this is here.

Why do we need a script? @TaichKarna

edit: the CI fail is intentional, it's just a PoC for pre-commit run.

Terraform-docs natively only processes a single directory at a time. You point it at one path and it generates docs for that module, there's recursive flag but it doesnt work well with our structure. So we have to add command for all our directories or subdirectories seperately. A script would take changed tf files get their directories and run the terraform docs command against it, that what the antonbabenko hook does too. A custom script or the current hook both requires installation.

Thank your for reviewing @rudransh-shrivastava

[rudransh-shrivastava]

there's recursive flag but it doesnt work well with our structure.

I see what you mean, sub-modules inside modules aren't affected. This seems to be a limitation with terraform-docs itself. I'll look into it.

[rudransh-shrivastava]

I tried to fix it, let's see if this gets merged: terraform-docs/terraform-docs#924

[TaichKarna]

I tried to fix it, let's see if this gets merged: terraform-docs/terraform-docs#924

This solves everything, good going!! Do let me know if you can when it gets merged.

[rudransh-shrivastava]

It has been merged -- let's wait for a release.