From d7bb0adfe081b74d9f36eb09fefc64d22bd32ab3 Mon Sep 17 00:00:00 2001
From: Tin Vo <tintvo08@gmail.com>
Date: Fri, 23 May 2025 12:40:00 -0700
Subject: [PATCH] VAULT-35642: Adding comments for Enos premade aws role and
 policy (#30731)

* adding comments for premade aws role and policy

* fixing comments
---
 .../verify_secrets_engines/modules/create/aws/aws.tf       | 7 ++++++-
 .../modules/verify_secrets_engines/modules/read/aws/aws.tf | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/enos/modules/verify_secrets_engines/modules/create/aws/aws.tf b/enos/modules/verify_secrets_engines/modules/create/aws/aws.tf
index 3fc5a79e73..afd9db957e 100644
--- a/enos/modules/verify_secrets_engines/modules/create/aws/aws.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/aws/aws.tf
@@ -76,11 +76,16 @@ data "aws_caller_identity" "current" {}
 
 data "aws_region" "current" {}
 
-# Using Pre-made policy and role
+# The "DemoUser" policy is a predefined policy created by the security team.
+# This policy grants the necessary AWS permissions required for role generation via Vault.
+# Reference: https://github.com/hashicorp/honeybee-templates/blob/main/templates/iam_policy/DemoUser.yaml
 data "aws_iam_policy" "premade_demo_user_policy" {
   name = "DemoUser"
 }
 
+# This role was provisioned by the security team using the repository referenced below.
+# This role includes the necessary policies to enable AWS credential generation and rotation via Vault.
+# Reference: https://github.com/hashicorp/honeybee-templates/blob/main/templates/iam_role/vault-assumed-role-credentials-demo.yaml
 data "aws_iam_role" "premade_demo_assumed_role" {
   name = "vault-assumed-role-credentials-demo"
 }
diff --git a/enos/modules/verify_secrets_engines/modules/read/aws/aws.tf b/enos/modules/verify_secrets_engines/modules/read/aws/aws.tf
index 6be2491996..5a3dbe456f 100644
--- a/enos/modules/verify_secrets_engines/modules/read/aws/aws.tf
+++ b/enos/modules/verify_secrets_engines/modules/read/aws/aws.tf
@@ -42,7 +42,7 @@ variable "verify_aws_engine_creds" {
   type = bool
 }
 
-# Verify PKI Certificate
+# Verify AWS Engine
 resource "enos_remote_exec" "aws_verify_new_creds" {
   for_each = var.hosts