docs(terraform): generate initial README.md for all 56 module layers

Generated via terraform-docs v0.24.0 using shared .terraform-docs.yml config.

Coverage:
- 19 base modules
- 23 composition modules
- 14 application-resource modules

Each README includes:
- Requirements, providers, modules, resources
- Input variables table (name, type, description, default, required)
- Output values table (name, description)
- Injected between BEGIN_TF_DOCS / END_TF_DOCS markers for CI updates

Author: itsharshvb

terraform/aws/modules/application-resources/alb-controller/README.md

@@ -0,0 +1,64 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+| ---- | ------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 3.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+| ---- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 6.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 3.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | ~> 3.0 |
+
+## Modules
+
+| Name | Source | Version |
+| ---- | ------ | ------- |
+| <a name="module_aws_load_balancer_controller_irsa"></a> [aws\_load\_balancer\_controller\_irsa](#module\_aws\_load\_balancer\_controller\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 |
+
+## Resources
+
+| Name | Type |
+| ---- | ---- |
+| [helm_release.alb_controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_service_account_v1.alb_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_iam_openid_connect_provider.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| <a name="input_additional_service_account_annotations"></a> [additional\_service\_account\_annotations](#input\_additional\_service\_account\_annotations) | Additional annotations to apply to the ALB Controller Service Account | `map(string)` | `{}` | no |
+| <a name="input_alb_controller_chart_version"></a> [alb\_controller\_chart\_version](#input\_alb\_controller\_chart\_version) | Version of the AWS Load Balancer Controller Helm chart | `string` | `"1.14.0"` | no |
+| <a name="input_alb_controller_namespace"></a> [alb\_controller\_namespace](#input\_alb\_controller\_namespace) | Namespace ALB Controller is installed on | `string` | `"kube-system"` | no |
+| <a name="input_alb_controller_service_account_name"></a> [alb\_controller\_service\_account\_name](#input\_alb\_controller\_service\_account\_name) | Service Account Name of ALB Controller | `string` | `"aws-load-balancer-controller-sa"` | no |
+| <a name="input_common_tags"></a> [common\_tags](#input\_common\_tags) | Common tags to apply to all resources | `map(string)` | `{}` | no |
+| <a name="input_create_alb_controller_service_account"></a> [create\_alb\_controller\_service\_account](#input\_create\_alb\_controller\_service\_account) | Whether to create the ALB Controller Service Account | `bool` | `false` | no |
+| <a name="input_create_helm_release"></a> [create\_helm\_release](#input\_create\_helm\_release) | Whether to create the Helm release for ALB Controller | `bool` | `true` | no |
+| <a name="input_eks_cluster_name"></a> [eks\_cluster\_name](#input\_eks\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name (e.g., sandbox, dev, prod) | `string` | n/a | yes |
+| <a name="input_helm_chart_repository"></a> [helm\_chart\_repository](#input\_helm\_chart\_repository) | Helm chart repository URL | `string` | `"https://aws.github.io/eks-charts"` | no |
+| <a name="input_helm_chart_values"></a> [helm\_chart\_values](#input\_helm\_chart\_values) | Additional values to pass to the Helm chart | `list(string)` | `[]` | no |
+| <a name="input_helm_release_name"></a> [helm\_release\_name](#input\_helm\_release\_name) | Name of the Helm release | `string` | `"aws-load-balancer-controller"` | no |
+| <a name="input_helm_values_file"></a> [helm\_values\_file](#input\_helm\_values\_file) | Path to a values.yaml file to use with the Helm chart. If provided, this will be used alongside helm\_chart\_values | `string` | `""` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name for resource naming and tagging | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |
+| <a name="input_service_account_labels"></a> [service\_account\_labels](#input\_service\_account\_labels) | Labels to apply to the ALB Controller Service Account | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+| ---- | ----------- |
+| <a name="output_alb_controller_role_arn"></a> [alb\_controller\_role\_arn](#output\_alb\_controller\_role\_arn) | The ARN of the AWS Load Balancer Controller IAM role |
+| <a name="output_alb_controller_service_account"></a> [alb\_controller\_service\_account](#output\_alb\_controller\_service\_account) | Service Account Name of AWS Load Balancer Controller |
+| <a name="output_region"></a> [region](#output\_region) | AWS region where resources are created |
+<!-- END_TF_DOCS -->

terraform/aws/modules/application-resources/argocd/README.md

@@ -0,0 +1,64 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+| ---- | ------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+| ---- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+| ---- | ---- |
+| [aws_iam_role.argocd_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.cross_account_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_openid_connect_provider.oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_iam_policy_document.cross_account_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| <a name="input_additional_assume_role_statements"></a> [additional\_assume\_role\_statements](#input\_additional\_assume\_role\_statements) | Additional IAM policy statements to add to the role's assume role policy | `list(any)` | `[]` | no |
+| <a name="input_additional_policy_arns"></a> [additional\_policy\_arns](#input\_additional\_policy\_arns) | Additional policy ARNs to attach to the ArgoCD role | `list(string)` | `[]` | no |
+| <a name="input_argocd_namespace"></a> [argocd\_namespace](#input\_argocd\_namespace) | Kubernetes namespace where ArgoCD is deployed | `string` | `"argocd"` | no |
+| <a name="input_argocd_service_accounts"></a> [argocd\_service\_accounts](#input\_argocd\_service\_accounts) | List of ArgoCD service accounts that can assume this role | `list(string)` | <pre>[<br/>  "argocd-application-controller",<br/>  "argocd-applicationset-controller",<br/>  "argocd-server"<br/>]</pre> | no |
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | AWS Account ID where the role is created | `string` | n/a | yes |
+| <a name="input_cluster_service_accounts"></a> [cluster\_service\_accounts](#input\_cluster\_service\_accounts) | Map of cluster names to service accounts that can assume this role. Each service account must have 'namespace' and 'name' attributes. | <pre>map(list(object({<br/>    namespace = string<br/>    name      = string<br/>  })))</pre> | `{}` | no |
+| <a name="input_common_tags"></a> [common\_tags](#input\_common\_tags) | Common tags to apply to all resources | `map(string)` | `{}` | no |
+| <a name="input_create_assume_role_policy"></a> [create\_assume\_role\_policy](#input\_create\_assume\_role\_policy) | Whether to create and attach the assume role policy for cross-account access | `bool` | `true` | no |
+| <a name="input_cross_account_roles"></a> [cross\_account\_roles](#input\_cross\_account\_roles) | List of cross-account role ARNs that ArgoCD can assume | `list(string)` | `[]` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name (e.g., sandbox, dev, prod) | `string` | n/a | yes |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds for the role | `number` | `3600` | no |
+| <a name="input_oidc_audience"></a> [oidc\_audience](#input\_oidc\_audience) | Audience for OIDC token validation | `string` | `"sts.amazonaws.com"` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name for resource naming and tagging | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Description for the ArgoCD management IAM role | `string` | `"IAM role for ArgoCD to manage cross-account deployments"` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name of the ArgoCD management IAM role. If null, defaults to {project}-{env}-argocd-management-role | `string` | `null` | no |
+| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path for the IAM role | `string` | `"/"` | no |
+
+## Outputs
+
+| Name | Description |
+| ---- | ----------- |
+| <a name="output_cluster_service_accounts"></a> [cluster\_service\_accounts](#output\_cluster\_service\_accounts) | Map of cluster names to their service account subjects |
+| <a name="output_oidc_provider_urls"></a> [oidc\_provider\_urls](#output\_oidc\_provider\_urls) | Map of cluster names to their OIDC provider URLs |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of the ArgoCD management IAM role |
+| <a name="output_role_id"></a> [role\_id](#output\_role\_id) | ID of the ArgoCD management IAM role |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Name of the ArgoCD management IAM role |
+| <a name="output_role_unique_id"></a> [role\_unique\_id](#output\_role\_unique\_id) | Unique ID of the ArgoCD management IAM role |
+<!-- END_TF_DOCS -->

terraform/aws/modules/application-resources/decision-engine/README.md

@@ -0,0 +1,78 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+| ---- | ------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+| ---- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+| Name | Source | Version |
+| ---- | ------ | ------- |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
+
+## Resources
+
+| Name | Type |
+| ---- | ---- |
+| [aws_iam_policy.ses_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.customer_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ses_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_openid_connect_provider.oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| <a name="input_additional_assume_role_statements"></a> [additional\_assume\_role\_statements](#input\_additional\_assume\_role\_statements) | Additional IAM assume role policy statements to append | `list(any)` | `[]` | no |
+| <a name="input_app_name"></a> [app\_name](#input\_app\_name) | Application name | `string` | `"decision-engine"` | no |
+| <a name="input_assume_role_principals"></a> [assume\_role\_principals](#input\_assume\_role\_principals) | List of AWS principal ARNs allowed to assume this role (e.g., ['arn:aws:iam::123456789012:root']) | `list(string)` | `[]` | no |
+| <a name="input_aws_managed_policy_names"></a> [aws\_managed\_policy\_names](#input\_aws\_managed\_policy\_names) | List of AWS managed policy names to attach | `list(string)` | `[]` | no |
+| <a name="input_cluster_service_accounts"></a> [cluster\_service\_accounts](#input\_cluster\_service\_accounts) | Map of EKS cluster names to their respective list of Kubernetes service accounts (namespace and service account name) | <pre>map(list(object({<br/>    namespace = string<br/>    name      = string<br/>  })))</pre> | `{}` | no |
+| <a name="input_customer_managed_policy_arns"></a> [customer\_managed\_policy\_arns](#input\_customer\_managed\_policy\_arns) | List of customer managed policy ARNs to attach | `list(string)` | `[]` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name (e.g., sandbox, dev, prod) | `string` | n/a | yes |
+| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether to force detaching policies when destroying the role | `bool` | `true` | no |
+| <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | Map of inline policy names to JSON policy documents to attach to the role | `map(string)` | `{}` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration for the role (in seconds) | `number` | `3600` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name for resource naming and tagging | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | `null` | no |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Custom IAM role description | `string` | `null` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Custom IAM role name. If null, auto-generated as {environment}-{project}-{app}-role | `string` | `null` | no |
+| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | IAM role path | `string` | `"/"` | no |
+| <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Configuration for the Decision Engine S3 bucket | <pre>object({<br/>    enabled                       = optional(bool, true)<br/>    bucket_name                   = optional(string, null)<br/>    force_destroy                 = optional(bool, false)<br/>    versioning_enabled            = optional(bool, true)<br/>    lifecycle_rules               = optional(list(object({<br/>      id                            = string<br/>      enabled                       = bool<br/>      prefix                        = optional(string, "")<br/>      expiration_days               = optional(number, null)<br/>      noncurrent_version_expiration = optional(number, null)<br/>      transition                    = optional(list(object({<br/>        days          = number<br/>        storage_class = string<br/>      })), [])<br/>    })), [])<br/>  })</pre> | `{}` | no |
+| <a name="input_ses"></a> [ses](#input\_ses) | SES configuration. Set to {} to disable SES policy. Only accepts existing SES role ARN (does NOT create SES resources). | <pre>object({<br/>    enabled  = optional(bool, false)  # Set true to enable SES policy<br/>    role_arn = optional(string, null) # Existing SES role ARN to assume<br/>  })</pre> | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Common tags to apply to all resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+| ---- | ----------- |
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | AWS account ID |
+| <a name="output_assume_role_principals_enabled"></a> [assume\_role\_principals\_enabled](#output\_assume\_role\_principals\_enabled) | Whether assume role principals feature is enabled |
+| <a name="output_aws_managed_policies_enabled"></a> [aws\_managed\_policies\_enabled](#output\_aws\_managed\_policies\_enabled) | Whether AWS managed policy attachments feature is enabled |
+| <a name="output_customer_managed_policies_enabled"></a> [customer\_managed\_policies\_enabled](#output\_customer\_managed\_policies\_enabled) | Whether customer managed policy attachments feature is enabled |
+| <a name="output_inline_policies_enabled"></a> [inline\_policies\_enabled](#output\_inline\_policies\_enabled) | Whether inline policies feature is enabled |
+| <a name="output_oidc_enabled"></a> [oidc\_enabled](#output\_oidc\_enabled) | Whether OIDC/IRSA feature is enabled |
+| <a name="output_region"></a> [region](#output\_region) | AWS region where resources are created |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of the IAM role for Decision Engine application |
+| <a name="output_role_id"></a> [role\_id](#output\_role\_id) | ID of the IAM role for Decision Engine application |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Name of the IAM role for Decision Engine application |
+| <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The ARN of the S3 bucket |
+| <a name="output_s3_bucket_domain_name"></a> [s3\_bucket\_domain\_name](#output\_s3\_bucket\_domain\_name) | The domain name of the S3 bucket |
+| <a name="output_s3_bucket_id"></a> [s3\_bucket\_id](#output\_s3\_bucket\_id) | The ID (name) of the S3 bucket |
+| <a name="output_s3_bucket_name"></a> [s3\_bucket\_name](#output\_s3\_bucket\_name) | The name of the S3 bucket |
+| <a name="output_s3_bucket_regional_domain_name"></a> [s3\_bucket\_regional\_domain\_name](#output\_s3\_bucket\_regional\_domain\_name) | The regional domain name of the S3 bucket |
+<!-- END_TF_DOCS -->