Merge pull request #17 from dukeofgaming/dev

Merge dev into main

README.md

@@ -89,7 +89,7 @@ If this is not your first run, use `terraform init -backend-config=backend.hcl`
 
 #### Quickstart
 
-For full instructions including how to migrate to an S3 backend from an initial run (highly recommended), see the [README](iac/terraform/core/README.md) in the `iac/terraform/core` directory.
+For full instructions including how to migrate to an S3 backend from an initial run (highly recommended), see the [README](iac/terraform/app/README.md) in the `iac/terraform/app` directory.
 
 1. Copy the `.env.sh.dist` file to `.env.sh` and fill in the required values, then run:
 

docs/adrs/10 - Healtcheck endpoint.md

@@ -2,13 +2,24 @@
 Accepted
 
 ## Context
-When hooking up the service to a load balancer, a challenge was encountered. The balancer was configured to expect a "200" status from the root ("/") endpoint for health checks, but the application, by default, returned a "404". Altering the root endpoint was considered, but the principle of Chesterton's Fence suggested caution: it's unwise to change something without understanding why it exists in the first place.
+When hooking up the service to a load balancer, a challenge was encountered. The balancer was configured to expect a "200" status from the root ("/") endpoint for health checks, but the application, by default, returned a "404". 
+
+Altering the root endpoint was considered, but the principle of [Chesterton's Fence](https://www.youtube.com/watch?v=qPGbl2gxGqI) suggested caution: it's unwise to change something without understanding why it exists in the first place.
 
 ## Decision
-Rather than altering the existing root endpoint, a new "/healthcheck" endpoint was introduced. This endpoint performs a database connectivity check and returns the application's version. This approach satisfies the load balancer's requirements without modifying the root endpoint's behavior.
+Rather than altering the existing root endpoint, a new `/healthcheck` endpoint was introduced. 
+
+This endpoint performs a **database connectivity check** and returns the application's version. 
+
+This approach satisfies the load balancer's requirements without modifying the root endpoint's behavior.
 
 ## Consequences
-1. Elimination of unnecessary ECS restarts, as the load balancer now receives the "200" status it requires.
-2. Preservation of the root endpoint's original design, respecting its intended purpose.
+1. Elimination of unnecessary ECS restarts if there is oversight in configuring the load balancer at any point, as the load balancer now receives the "200" status it requires.
+
+2. Preservation of the root endpoint's original design, respecting its intended purpose if any.
+
 3. Enhancement of debugging capabilities through the inclusion of the application's version in the health check response.
-4. Establishment of a precedent for future health check adjustments without disrupting other application parts.
+
+4. Establishment of a precedent for *future health check adjustments* without disrupting other application parts.
+
+5. **Reduced attack surface** by limiting the matcher to a well-known HTTP status code, that can be used to test the infrastructure with other images.

docs/adrs/9 - Database Pasword Security.md

@@ -14,11 +14,11 @@ The design boils down to:
 - The secret version will be updated by the admin through Github Actions (**this is required for Terraform to change the RDS master password**).
 
 ```mermaid
-graph 
+graph
     subgraph "core"
         CoreTerraformState[("tfstate")]
         subgraph "pipeline"
-            RDSPasswordEnvSecret
+            PipelineServiceAccount
         end
     end
 
@@ -41,7 +41,7 @@ graph
         RDSPasswordSecret -- consumed securely by --> ECS
 
         RDSPasswordEnvSecret -- sent securely --> EncryptedState
-        RDSPasswordEnvSecret -. updates .-> RDSPasswordSecretVersion
+        PipelineServiceAccount -. updates .-> RDSPasswordSecretVersion
 
         style EncryptedState stroke:#f00, stroke-width:2px, fill:#600
         style Admin stroke:#f00, stroke-width:2px, fill:#600