# PRD: Layer 50 - Application (Wiki.js)

**Scope:** Deployment account. Deploy Wiki.js via ArgoCD and wire DB, S3, ingress, and DNS.

**Dependencies:** PRD_00-cross-cutting, PRD_00-bootstrap, PRD_01-dns-main (for `dns_role_arn`), PRD_10-network, PRD_20-eks, PRD_30-data-rds, PRD_35-storage-s3-assets, PRD_40-platform, PRD_45-argocd.

## 1. Purpose and Execution Order

| ID | Requirement |
| ---- | ------------- |
| R-W50-001 | This layer SHALL deploy Wiki.js via ArgoCD and wire external PostgreSQL, S3 assets, ingress (ALB + TLS), and DNS. |
| R-W50-002 | The layer SHALL run after all infrastructure and platform layers (network, EKS, RDS, S3 assets, platform, ArgoCD). |
| R-W50-003 | Outputs SHALL be published to Parameter Store: ALB DNS name, ALB hosted zone ID (for Route 53 alias), and application URL. |
| R-W50-004 | This layer SHALL create (and on destroy, remove) the Route 53 A (alias) record for the Wiki.js FQDN in the domain account by assuming **dns_assume_role_arn** (layer 01); the record SHALL point to the ALB. |

## 2. ArgoCD Application

| ID | Requirement |
| ---- | ------------- |
| R-W50-101 | An ArgoCD Application resource SHALL be created pointing to the `apps/wikijs` path and the Wiki.js Helm chart. |
| R-W50-102 | The Application SHALL target the correct repository and branch/path as defined in the monorepo layout. |
| R-W50-103 | Wiki.js SHALL be deployed in the `wikijs` namespace. |

## 3. Wiki.js Configuration (Values)

| ID | Requirement |
| ---- | ------------- |
| R-W50-201 | Wiki.js SHALL be configured to use external PostgreSQL; connection parameters SHALL be supplied via an existing Kubernetes secret synced from Secrets Manager (RDS managed master password). |
| R-W50-202 | Wiki.js SHALL be configured with the mandatory S3 storage backend: bucket name, prefix, region, and the service account SHALL be bound to the IRSA role (layer 35) for S3 access. |
| R-W50-203 | Persistence configuration (PVC) SHALL be applied as required for Wiki.js runtime data. |
| R-W50-204 | Wiki.js application secrets (app secret key, admin bootstrap if used, SMTP, OAuth) SHALL be consumed from Kubernetes secrets synced from Secrets Manager; Terraform SHALL reference only ARNs. |

## 4. Ingress and TLS

| ID | Requirement |
| ---- | ------------- |
| R-W50-301 | Ingress SHALL be configured with the dedicated hostname `wikijs_fqdn` (read from Parameter Store bootstrap contract). |
| R-W50-302 | TLS SHALL use the existing ACM certificate ARN (from bootstrap Parameter Store). |
| R-W50-303 | Ingress SHALL use ALB annotations consistent with EKS Auto Mode (e.g. ingress controller creates ALB). |
| R-W50-304 | The ALB SHALL be created via EKS Auto Mode ingress. The layer SHALL read `dns_role_arn` (i.e. **dns_assume_role_arn**) from Parameter Store (01-dns-main), assume that role via a provider alias, and create the Route 53 A (alias) record for `wikijs_fqdn` pointing to the ALB in the domain account. The layer SHALL publish ALB DNS name and ALB hosted zone ID to Parameter Store. |

## 5. Parameter Store Outputs

| ID | Requirement |
| ---- | ------------- |
| R-W50-401 | The layer SHALL publish to Parameter Store under `wikijs/<region>/<env>/50-app-wikijs/`: ALB DNS name, ALB hosted zone ID, and application URL. |
| R-W50-402 | Outputs SHALL be published under this layer's prefix only; the Route 53 record is created and managed by this layer (using **dns_assume_role_arn** from 01-dns-main). |
| R-W50-403 | The layer SHALL publish only under its own prefix. |

## 6. Verification

| ID | Requirement |
| ---- | ------------- |
| R-W50-501 | Wiki.js SHALL be reachable on the dedicated hostname over HTTPS with the existing ACM cert. |
| R-W50-502 | ArgoCD SHALL sync the Wiki.js application to a healthy state. |
| R-W50-503 | S3 assets bucket access from Wiki.js SHALL work via IRSA; RDS connectivity SHALL work from the cluster. |

## 7. Destroy Behavior

| ID | Requirement |
| ---- | ------------- |
| R-W50-601 | On `terraform destroy`, the layer SHALL remove the Route 53 record (domain account, using **dns_assume_role_arn**) and the ArgoCD Application and any Terraform-managed resources (e.g. Application manifest) first, allowing ArgoCD to remove Wiki.js resources, then remove layer-owned resources. |
| R-W50-602 | The layer SHALL delete its own Parameter Store prefix after successful destroy. |
| R-W50-603 | A provision workflow and a destroy workflow SHALL exist; this layer SHALL be destroyed first in the teardown order (before 45-argocd, 40-platform, etc.). |

## 8. Implementation Notes

- **Terraform:** `terraform/50-app-wikijs/` (ArgoCD Application, SecretProviderClass for RDS and Wiki.js app secret, Route 53 A record via provider `aws.main`, SSM outputs when ALB exists).
- **Apps layout:** `apps/wikijs/` with Chart.yaml (wrapper for Requarks Wiki.js, <https://charts.js.wiki>), `values/dev.yaml`, `values/prod.yaml` (DB secret, persistence, ingress with deterministic ALB name for Terraform lookup), optional `argocd/application.yaml`.
- **Workflows:** `tf-50-app-wikijs-provision.yaml`, `tf-50-app-wikijs-destroy.yaml`. Layer 50 reads `dns_role_arn` from Parameter Store (01-dns-main) during plan/apply/destroy; no CI pass-through or `extra_tf_vars` required.
- **Two-apply note:** ALB is created by EKS Auto Mode after ArgoCD syncs the Wiki.js Ingress. Route 53 record and SSM outputs are created only when the ALB exists; a second apply may be required after ArgoCD has synced. See `docs/runbooks/setup.md`.