fix: Security and reliability improvements for AWS Terraform module

Author: bogdan-ts

docker-compose.yml

@@ -26,7 +26,14 @@ services:
       POSTGRES_DB: target_database
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
-    command: ["postgres", "-c", "shared_preload_libraries=pg_stat_statements", "-c", "pg_stat_statements.track=all"]
+    command:
+      [
+        "postgres",
+        "-c",
+        "shared_preload_libraries=pg_stat_statements",
+        "-c",
+        "pg_stat_statements.track=all",
+      ]
     ports:
       - "55432:5432"
     volumes:
@@ -57,18 +64,24 @@ services:
       - ./config/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
       - prometheus_data:/prometheus
     command:
-      - '--config.file=/etc/prometheus/prometheus.yml'
-      - '--storage.tsdb.path=/prometheus'
-      - '--web.console.libraries=/etc/prometheus/console_libraries'
-      - '--web.console.templates=/etc/prometheus/consoles'
-      - '--storage.tsdb.retention.time=200h'
-      - '--web.enable-lifecycle'
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--storage.tsdb.path=/prometheus"
+      - "--web.console.libraries=/etc/prometheus/console_libraries"
+      - "--web.console.templates=/etc/prometheus/consoles"
+      - "--storage.tsdb.retention.time=200h"
+      - "--web.enable-lifecycle"
 
   # PGWatch Instance 1 - Monitoring service (Postgres sink)
   pgwatch-postgres:
     image: cybertecpostgresql/pgwatch:3
     container_name: pgwatch-postgres
-    command: ["--sources=/etc/pgwatch/sources.yml", "--metrics=/etc/pgwatch/metrics.yml", "--sink=postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements", "--web-addr=:8080"]
+    command:
+      [
+        "--sources=/etc/pgwatch/sources.yml",
+        "--metrics=/etc/pgwatch/metrics.yml",
+        "--sink=postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements",
+        "--web-addr=:8080",
+      ]
     ports:
       - "58080:8080"
     depends_on:
@@ -82,7 +95,13 @@ services:
   pgwatch-prometheus:
     image: cybertecpostgresql/pgwatch:3
     container_name: pgwatch-prometheus
-    command: ["--sources=/etc/pgwatch/sources.yml", "--metrics=/etc/pgwatch/metrics.yml", "--sink=prometheus://0.0.0.0:9091/pgwatch", "--web-addr=:8089"]
+    command:
+      [
+        "--sources=/etc/pgwatch/sources.yml",
+        "--metrics=/etc/pgwatch/metrics.yml",
+        "--sink=prometheus://0.0.0.0:9091/pgwatch",
+        "--web-addr=:8089",
+      ]
     ports:
       - "58089:8089"
       - "59091:9091"
@@ -99,7 +118,7 @@ services:
     container_name: grafana-with-datasources
     environment:
       GF_SECURITY_ADMIN_USER: monitor
-      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD:-demo}
+      GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD:-demo}
       GF_INSTALL_PLUGINS: yesoreyeram-infinity-datasource
     ports:
       - "3000:3000"

terraform/aws/QUICKSTART.md

@@ -22,9 +22,17 @@ cp terraform.tfvars.example terraform.tfvars
 vim terraform.tfvars
 ```
 
-Set required parameters:
+Uncomment and set all required parameters:
 - `ssh_key_name` - your AWS SSH key name
-- `grafana_password` - custom password (optional, defaults to "demo")
+- `aws_region` - AWS region
+- `environment` - environment name
+- `instance_type` - EC2 instance type (e.g., t3.medium)
+- `data_volume_size` - data disk size in GiB
+- `data_volume_type` / `root_volume_type` - volume types (gp3, st1, sc1)
+- `allowed_ssh_cidr` / `allowed_cidr_blocks` - CIDR blocks for access
+- `use_elastic_ip` - allocate Elastic IP (true/false)
+- `grafana_password` - Grafana admin password
+- `postgres_ai_version` - git branch/tag (optional, defaults to "main")
 
 ## Add monitoring instances
 
@@ -45,12 +53,14 @@ monitoring_instances = [
 ## Deploy
 
 ```bash
-# Validate
-./validate.sh
-
-# Deploy
+# Initialize and validate
 terraform init
+terraform validate
+
+# Review changes
 terraform plan
+
+# Deploy
 terraform apply
 
 # Get access info
@@ -63,10 +73,10 @@ terraform output ssh_command
 ```bash
 # Grafana dashboard
 open $(terraform output -raw grafana_url)
-# Login: monitor / demo (or your custom password)
+# Login: monitor / <password from terraform.tfvars>
 
 # SSH
-ssh -i ~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw public_ip)
+ssh -i ~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw external_ip)
 ```
 
 ## Operations
@@ -95,3 +105,17 @@ ssh ubuntu@IP "sudo systemctl status postgres-ai"
 ssh ubuntu@IP "sudo docker ps"
 ```
 
+## Security notes
+
+Credentials (passwords, connection strings) are stored in `terraform.tfstate` in plain text. For one-off/dev deployments this is acceptable if you clean up after `terraform destroy`:
+
+```bash
+terraform destroy
+rm -rf .terraform/ terraform.tfstate*
+```
+
+For production deployments, consider:
+- Using environment variables: `export TF_VAR_grafana_password=...`
+- Remote state with encryption (S3 + encryption)
+- Configuring monitoring instances manually after deployment
+