[MOSIP-44628] Updated documentation and flow diagram for terraform profile based workflow

[abhishek-1809]

Summary by CodeRabbit

• Documentation
  • Introduced profile-scoped Terraform state layout and naming across guides, diagrams, and examples (profile segment in state filenames/paths).
  • Added INFRA_PROFILE parameter and required Profile selection (mosip/esignet) to workflows, destruction guides, and examples.
  • Documented GH_INFRA_PAT personal access token generation, permissions, and checklist inclusion.
  • Clarified backend behavior (S3 vs local), backup/cleanup for profile-based states, noted PostgreSQL/ActiveMQ options, and expanded workflow parameter walkthroughs.

[coderabbitai]

Warning

Review limit reached

@bhumi46, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 17 minutes and 9 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a15bf895-e02e-4976-a2b1-e4a45fbc033f

📥 Commits

Reviewing files that changed from the base of the PR and between c743abd and a512b6b.

📒 Files selected for processing (1)

• docs/TERRAFORM_WORKFLOW_GUIDE.md

Walkthrough

This PR updates infrastructure documentation to support profile-based Terraform state isolation across components: state file naming and directory layouts now include profile segments, INFRA_PROFILE workflow parameter added, GH_INFRA_PAT secret guidance added, and workflow, backup, cleanup, and architecture docs revised.

Changes

Terraform State Profile Isolation Documentation

Layer / File(s)	Summary
Profile-based state file naming and directory structure .github/workflows/README.md, terraform/README.md	State file naming patterns revised to include {profile} for infra components. Directory layout updated to terraform/implementations/{cloud}/profiles/{profile}/ for profile-isolated encrypted and decrypted state files.
INFRA_PROFILE parameter introduction docs/TERRAFORM_WORKFLOW_GUIDE.md, .github/workflows/README.md	New INFRA_PROFILE workflow parameter documented for isolated deployments and Terraform state separation. Multi-environment setup examples updated to include INFRA_PROFILE.
GitHub Actions workflow and Helmsman walkthroughs README.md	Main infra workflow steps updated to require Profile selection (mosip/esignet); base-infra backend behavior clarified (S3 bucket provided = remote state; bucket empty = local backend). Helmsman deployment walkthroughs expanded with profile and additional inputs.
State management backup and cleanup procedures docs/ENVIRONMENT_DESTRUCTION_GUIDE.md	State backup procedures extended to archive profile-isolated files under profiles/<profile>/terraform.tfstate*. Local cleanup commands extended to remove state files under terraform/implementations/aws/*/profiles/*/.
Architecture diagrams and module documentation docs/_images/ARCHITECTURE_DIAGRAMS.md, terraform/README.md	State isolation diagrams updated with -<profile>- segments in cloud-specific filenames and GCP object key patterns; AWS module list extended with activemq-setup/.
GH_INFRA_PAT secret guidance docs/SECRET_GENERATION_GUIDE.md, README.md	Added documentation for generating and storing a GitHub Personal Access Token (GH_INFRA_PAT) with required permissions, TOC/checklist updates, and visual guide updates showing the new repository secret.

Estimated code review effort:
🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs:

• mosip/infra#224: Related prior changes introducing profile-scoped Terraform state file paths and decrypt/encrypt workflow behavior.

Suggested reviewers:

• ckm007

"🐰
Profiles nest the state with care,
Filenames tidy, secrets shared,
Diagrams hop into their place,
Workflows trimmed with gentle grace,
Docs sing softly—operations spared."

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main purpose of the changeset: updating documentation and architecture diagrams to document a new terraform profile-based workflow implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

.github/workflows/README.md (1)

172-190: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Profile placeholder creates ambiguity.

Line 190 states where <profile> = mosip/esignet, which suggests the profile value itself contains a forward slash. However:

1. The directory structure profiles/<profile>/ implies <profile> is a single directory name
2. State filenames like aws-infra-<profile>-<branch>-terraform.tfstate suggest <profile> is a single token
3. Other documentation suggests choosing between mosip OR esignet

Recommendation: Clarify whether:

• Profile is a single value (e.g., mosip or esignet separately), OR
• Profile intentionally supports slash-separated paths (e.g., mosip/esignet as one value)

If it's a single value, update line 190 and similar instances to show separate examples rather than combined.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/README.md around lines 172 - 190, The docs are ambiguous
about the profile placeholder; update the README so <profile> is clearly defined
as a single token (e.g., "mosip" or "esignet") rather than "mosip/esignet":
change the example at the `where <profile> = mosip/esignet` note to show
separate examples (e.g., `where <profile> = mosip` or `where <profile> =
esignet`) and ensure surrounding references like `profiles/<profile>/` and
filenames `aws-infra-<profile>-<branch>-terraform.tfstate` reflect that
<profile> is a single directory/name, not a slash-separated path.

docs/ENVIRONMENT_DESTRUCTION_GUIDE.md (1)

48-48: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Profile format inconsistency (same issue as README.md).

This shows Profile: esignet/mosip which is inconsistent with other documentation. See the detailed comment on README.md line 844 for the full explanation and recommendation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ENVIRONMENT_DESTRUCTION_GUIDE.md` at line 48, The "Profile:
esignet/mosip" entry in ENVIRONMENT_DESTRUCTION_GUIDE.md uses a different
profile format than the rest of the docs; update this line to match the
canonical profile format used elsewhere (as noted in README.md) by replacing
"Profile: esignet/mosip" with the standardized profile syntax (use the same
casing, delimiter and structure as the README.md recommendation) so
documentation is consistent across files.

terraform/README.md (1)

293-330: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Profile placeholder ambiguity (same issue as other files).

Lines 307 and 330 state where <profile> = mosip/esignet, creating the same ambiguity noted in other files. See the detailed comment on .github/workflows/README.md lines 172-190 for full explanation.

Additionally, line 323 is missing a language identifier for the fenced code block (markdown linting issue MD040).

🔧 Fix for markdown linting issue

 
 Examples:
+```
 ├── aws-base-infra-main-terraform.tfstate.gpg # Production base infrastructure
 ├── profiles/<profile>/aws-infra-<profile>-staging-terraform.tfstate.gpg # Staging MOSIP cluster 

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@terraform/README.md` around lines 293 - 330, Replace the ambiguous
placeholder text "where <profile> = mosip/esignet" with an explicit explanation
such as "where <profile> can be either 'mosip' or 'esignet'" in both occurrences
(the two README paragraphs that reference profile values) and add a language
identifier to the fenced code block that shows example state filenames (e.g.,
change the opening backticks to ```text or ```bash) so markdown linting MD040 is
satisfied; update the example block and both profile notes (`where <profile>
...`) accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 844-854: The "Profile" field is documented inconsistently; update
the README's Profile section (the "Profile" bullet) to clearly show it expects a
single value (either "mosip" or "esignet") using a consistent choice notation
like "Profile: <select one: mosip | esignet>" and replace other variants such as
"esignet / mosip", "esignet/mosip", and "INFRA_PROFILE: mosip/esignet" with the
same single-value examples or explicit choice notation; ensure references to
state naming "{cloud}-{component}-{profile}-{branch}" and the
ENVIRONMENT_DESTRUCTION_GUIDE and INFRA_PROFILE examples all use the
single-value format so users understand to pass only "mosip" or "esignet".

---

Duplicate comments:
In @.github/workflows/README.md:
- Around line 172-190: The docs are ambiguous about the profile placeholder;
update the README so <profile> is clearly defined as a single token (e.g.,
"mosip" or "esignet") rather than "mosip/esignet": change the example at the
`where <profile> = mosip/esignet` note to show separate examples (e.g., `where
<profile> = mosip` or `where <profile> = esignet`) and ensure surrounding
references like `profiles/<profile>/` and filenames
`aws-infra-<profile>-<branch>-terraform.tfstate` reflect that <profile> is a
single directory/name, not a slash-separated path.

In `@docs/ENVIRONMENT_DESTRUCTION_GUIDE.md`:
- Line 48: The "Profile: esignet/mosip" entry in
ENVIRONMENT_DESTRUCTION_GUIDE.md uses a different profile format than the rest
of the docs; update this line to match the canonical profile format used
elsewhere (as noted in README.md) by replacing "Profile: esignet/mosip" with the
standardized profile syntax (use the same casing, delimiter and structure as the
README.md recommendation) so documentation is consistent across files.

In `@terraform/README.md`:
- Around line 293-330: Replace the ambiguous placeholder text "where <profile> =
mosip/esignet" with an explicit explanation such as "where <profile> can be
either 'mosip' or 'esignet'" in both occurrences (the two README paragraphs that
reference profile values) and add a language identifier to the fenced code block
that shows example state filenames (e.g., change the opening backticks to
```text or ```bash) so markdown linting MD040 is satisfied; update the example
block and both profile notes (`where <profile> ...`) accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 729a6f7a-3ca9-4cf9-bf0d-58e521e30e9c

📥 Commits

Reviewing files that changed from the base of the PR and between dd9cc42 and 07fb882.

⛔ Files ignored due to path filters (2)

• docs/_images/infra-terraform-apply.png is excluded by !**/*.png
• docs/_images/infra-terraform-destroy.png is excluded by !**/*.png

📒 Files selected for processing (6)

• .github/workflows/README.md
• README.md
• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
• docs/TERRAFORM_WORKFLOW_GUIDE.md
• docs/_images/ARCHITECTURE_DIAGRAMS.md
• terraform/README.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 208-219: The README documents GH_INFRA_PAT but the Step 2
"Configure GitHub Secrets" actionable list omits it; update the Step 2 secrets
list to include GH_INFRA_PAT with a short note about its required scopes
(Contents: Read & write, Metadata: Read, Actions/Environments/Variables: Read &
write) and a brief pointer that it is a GitHub Personal Access Token
(fine-grained) used for repository operations; locate the Step 2 section and add
GH_INFRA_PAT alongside the other secret names so copy-paste setup instructions
and any examples reference this variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 342d06c2-7d29-471b-8c86-2cff2918425d

📥 Commits

Reviewing files that changed from the base of the PR and between 07fb882 and 49d8228.

📒 Files selected for processing (2)

• README.md
• docs/SECRET_GENERATION_GUIDE.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/SECRET_GENERATION_GUIDE.md`:
- Line 308: Update the permission label wording in the string that currently
reads "- **Contents**: Read and write *(critical, Read only causes 403 on
push)*" so the parenthetical uses the hyphenated form "Read-only" (i.e., change
"Read only causes 403 on push" to "Read-only causes 403 on push") within
SECRET_GENERATION_GUIDE.md to keep the permission label consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 83a5a6be-127b-4f7c-b108-fa2ab22cf018

📥 Commits

Reviewing files that changed from the base of the PR and between 49d8228 and 389a4e6.

⛔ Files ignored due to path filters (3)

• docs/_images/esignet.png is excluded by !**/*.png
• docs/_images/helmsman-external-services.png is excluded by !**/*.png
• docs/_images/helmsman-testrigs.png is excluded by !**/*.png

📒 Files selected for processing (3)

• README.md
• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
• docs/SECRET_GENERATION_GUIDE.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md