diff --git a/terraform/main.tf b/terraform/main.tf
index 177d9e0..41435d4 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -40,7 +40,8 @@ resource "digitalocean_database_cluster" "postgres" {
   tags = var.tags
 }
 
-# Database firewall - allow App Platform apps
+# Database firewall - centralized here since mlb-stats owns the cluster.
+# Add other apps (e.g. gif-clipper) via additional_trusted_sources.
 resource "digitalocean_database_firewall" "postgres_fw" {
   cluster_id = digitalocean_database_cluster.postgres.id
 
diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example
index 9e0593d..086729f 100644
--- a/terraform/terraform.tfvars.example
+++ b/terraform/terraform.tfvars.example
@@ -42,6 +42,13 @@ ga_measurement_id = "G-XXXXXXXXXX"
 # new_relic_api_key    = "your-new-relic-license-key"
 # new_relic_account_id = "your-account-id"
 
+# Shared Database Access (optional)
+# Grant other apps access to the managed database cluster.
+# Get app IDs with: doctl apps list
+# additional_trusted_sources = [
+#   { type = "app", value = "your-gif-clipper-app-id" },
+# ]
+
 # Optional: Override defaults
 # app_name       = "mlb-stats"
 # region         = "nyc"
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 8098b85..3bca738 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -135,3 +135,4 @@ variable "new_relic_account_id" {
   type        = string
   default     = ""
 }
+