From 85111ec243992d08f9a73a5b7a97a52ab1b636bd Mon Sep 17 00:00:00 2001 From: Natalie Date: Mon, 29 Jun 2026 08:11:04 -0400 Subject: [PATCH] revert: drop people/prospector DBs from shared store IaC Per-service DBs move to each service's own project infra declaration, not the catch-all uvlava store cluster module (uvlava itself may be superseded by per-project infra). Cluster + quinn/quinn_admin unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- terraform/do/database.tf | 13 ------------- terraform/do/outputs.tf | 12 ------------ terraform/do/variables.tf | 4 ++-- 3 files changed, 2 insertions(+), 27 deletions(-) diff --git a/terraform/do/database.tf b/terraform/do/database.tf index 9f26cc9..3573f1d 100644 --- a/terraform/do/database.tf +++ b/terraform/do/database.tf @@ -36,19 +36,6 @@ resource "digitalocean_database_user" "app" { name = "quinn_app" } -# Dedicated roles for the standalone services (credential separation: the -# prospector/people services never hold quinn_app's creds). DO managed PG -# generates each password; surfaced via the sensitive outputs below. -resource "digitalocean_database_user" "people" { - cluster_id = digitalocean_database_cluster.pg.id - name = "people" -} - -resource "digitalocean_database_user" "prospector" { - cluster_id = digitalocean_database_cluster.pg.id - name = "prospector" -} - # Trusted sources = ONLY the backend droplet. This is the hard private boundary: # nothing else — not the internet, not vps-0 directly — can open a PG connection. resource "digitalocean_database_firewall" "pg" { diff --git a/terraform/do/outputs.tf b/terraform/do/outputs.tf index 006df1f..ba65e02 100644 --- a/terraform/do/outputs.tf +++ b/terraform/do/outputs.tf @@ -37,18 +37,6 @@ output "pg_databases" { value = [for db in digitalocean_database_db.dbs : db.name] } -# Standalone-service DB credentials (consumed by the prospector + people service -# .env on the backend droplet). Sensitive — read via `terraform output -raw`. -output "people_db_password" { - value = digitalocean_database_user.people.password - sensitive = true -} - -output "prospector_db_password" { - value = digitalocean_database_user.prospector.password - sensitive = true -} - output "spaces_bucket_endpoint" { description = "S3 endpoint for the media bucket (services use signed URLs)." value = digitalocean_spaces_bucket.media.bucket_domain_name diff --git a/terraform/do/variables.tf b/terraform/do/variables.tf index 5e33438..26729b5 100644 --- a/terraform/do/variables.tf +++ b/terraform/do/variables.tf @@ -95,9 +95,9 @@ variable "pg_node_count" { } variable "pg_databases" { - description = "Logical databases to create on the cluster. quinn/quinn_admin mirror black; people + prospector are the standalone cocottetech services (own-DB-per-service)." + description = "Logical databases to create on the cluster (mirrors black's quinn + quinn_admin). Per-service DBs (people, prospector) are owned by their own service-scoped terraform modules that data-source this cluster." type = list(string) - default = ["quinn", "quinn_admin", "people", "prospector"] + default = ["quinn", "quinn_admin"] } ###############################################################################