From 8d2da7f012a40eac7ceff78e367ea5948e661040 Mon Sep 17 00:00:00 2001
From: Carter Grove <carter.grove@protonmail.com>
Date: Sun, 22 Feb 2026 13:49:35 -0500
Subject: [PATCH] Add gif-clipper database firewall access

Centralize database firewall management here since mlb-stats owns the
shared PostgreSQL cluster. Add optional gif_clipper_app_id variable
to grant the gif-clipper app database access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 terraform/main.tf      | 10 +++++++++-
 terraform/variables.tf |  7 +++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 425f989..de64bf9 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -40,7 +40,7 @@ resource "digitalocean_database_cluster" "postgres" {
   tags = var.tags
 }
 
-# Database firewall - only allow App Platform
+# Database firewall - centralized here since mlb-stats owns the cluster
 resource "digitalocean_database_firewall" "postgres_fw" {
   cluster_id = digitalocean_database_cluster.postgres.id
 
@@ -48,6 +48,14 @@ resource "digitalocean_database_firewall" "postgres_fw" {
     type  = "app"
     value = digitalocean_app.mlb_stats.id
   }
+
+  dynamic "rule" {
+    for_each = var.gif_clipper_app_id != "" ? [var.gif_clipper_app_id] : []
+    content {
+      type  = "app"
+      value = rule.value
+    }
+  }
 }
 
 # App Platform Application
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 297fc7f..3dd486d 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -125,3 +125,10 @@ variable "new_relic_account_id" {
   type        = string
   default     = ""
 }
+
+# Shared database access
+variable "gif_clipper_app_id" {
+  description = "DigitalOcean App ID for gif-clipper (grants database access)"
+  type        = string
+  default     = ""
+}