diff --git a/terraform/do/database.tf b/terraform/do/database.tf index 9f26cc9..3573f1d 100644 --- a/terraform/do/database.tf +++ b/terraform/do/database.tf @@ -36,19 +36,6 @@ resource "digitalocean_database_user" "app" { name = "quinn_app" } -# Dedicated roles for the standalone services (credential separation: the -# prospector/people services never hold quinn_app's creds). DO managed PG -# generates each password; surfaced via the sensitive outputs below. -resource "digitalocean_database_user" "people" { - cluster_id = digitalocean_database_cluster.pg.id - name = "people" -} - -resource "digitalocean_database_user" "prospector" { - cluster_id = digitalocean_database_cluster.pg.id - name = "prospector" -} - # Trusted sources = ONLY the backend droplet. This is the hard private boundary: # nothing else — not the internet, not vps-0 directly — can open a PG connection. resource "digitalocean_database_firewall" "pg" { diff --git a/terraform/do/outputs.tf b/terraform/do/outputs.tf index 006df1f..ba65e02 100644 --- a/terraform/do/outputs.tf +++ b/terraform/do/outputs.tf @@ -37,18 +37,6 @@ output "pg_databases" { value = [for db in digitalocean_database_db.dbs : db.name] } -# Standalone-service DB credentials (consumed by the prospector + people service -# .env on the backend droplet). Sensitive — read via `terraform output -raw`. -output "people_db_password" { - value = digitalocean_database_user.people.password - sensitive = true -} - -output "prospector_db_password" { - value = digitalocean_database_user.prospector.password - sensitive = true -} - output "spaces_bucket_endpoint" { description = "S3 endpoint for the media bucket (services use signed URLs)." value = digitalocean_spaces_bucket.media.bucket_domain_name diff --git a/terraform/do/variables.tf b/terraform/do/variables.tf index 5e33438..26729b5 100644 --- a/terraform/do/variables.tf +++ b/terraform/do/variables.tf @@ -95,9 +95,9 @@ variable "pg_node_count" { } variable "pg_databases" { - description = "Logical databases to create on the cluster. quinn/quinn_admin mirror black; people + prospector are the standalone cocottetech services (own-DB-per-service)." + description = "Logical databases to create on the cluster (mirrors black's quinn + quinn_admin). Per-service DBs (people, prospector) are owned by their own service-scoped terraform modules that data-source this cluster." type = list(string) - default = ["quinn", "quinn_admin", "people", "prospector"] + default = ["quinn", "quinn_admin"] } ###############################################################################